I need help, try over change syntax of my nginx too active OCSP.
But failed.
Any suggestion?
SO : Linux Server 4.15.0-50-generic #54-Ubuntu SMP Mon May 6 18:46:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Have IPv6 disable (sysctl), and not config on interface ethernet.
DNS: opennic (try others dns, cloudflared, google, opendns)
My IP (IPv4) is dynamic from my ISP MEO
Ngnix nginx version: nginx/1.14.0 (Ubuntu):
ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers ‘ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384’;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org;
ngnix.conf
resolver 127.0.0.1 valid=300s ipv6=off;
resolver_timeout 5s;
Test with curl:
curl -6 -I ocsp.int-x3.letsencrypt.org
curl: (7) Couldn’t connect to server
curl -4 -I ocsp.int-x3.letsencrypt.org
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=29927
Expires: Fri, 24 May 2019 20:22:12 GMT
Date: Fri, 24 May 2019 12:03:25 GMT
Connection: keep-alive
Log error.log ngnix:
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp request
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp request length 116, escape 7
2019/05/24 11:37:17 [debug] 30963#30963: resolve: “ocsp.int-x3.letsencrypt.org”
2019/05/24 11:37:17 [debug] 30963#30963: resolve: “ocsp.int-x3.letsencrypt.org” A 56272
2019/05/24 11:37:17 [debug] 30963#30963: resolver qs:ocsp.int-x3.letsencrypt.org
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp resolve handler
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp connect
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp connect peer done
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp write handler
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp read handler
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp process status line
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp status 200 “200 OK”
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp process headers
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp header “Server: nginx”
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp header “Content-Type: application/ocsp-response”
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp header “Content-Length: 527”
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp header “ETag: “1189631915F31866D2B3DB78008037E7C3BCE097629A332A7A93642F9C44572C””
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp header “Last-Modified: Wed, 22 May 2019 14:00:00 UTC”
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp header “Cache-Control: public, no-transform, must-revalidate, max-age=15881”
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp header “Expires: Fri, 24 May 2019 15:01:58 GMT”
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp header “Date: Fri, 24 May 2019 10:37:17 GMT”
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp header “Connection: close”
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp process body
2019/05/24 11:37:17 [debug] 30963#30963: ssl ocsp dummy handler
2019/05/24 11:38:17 [debug] 30963#30963: ssl ocsp read handler
2019/05/24 11:38:17 [error] 30963#30963: OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 95.101.72.151:80, certificate: “/etc/letsencrypt/live/domian/fullchain.pem”
2019/05/24 11:38:17 [debug] 30963#30963: ssl ocsp error
2019/05/24 11:38:17 [debug] 30963#30963: ssl ocsp done