I have been sifting through nginx error logs and have noticed the following message several times:
[warn] 782#782: "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/<domain>/fullchain.pem"
I have been testing OCSP stapling both manually and automatically (using Qualys SSL labs) and verified for myself that OCSP works. Here is my ssl configuration for nginx:
gzip off; ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/<domain>/chain.pem;
This message only appeared 10 times in logs in the past 4 days. I guess it might be due to the fact that I haven’t specified a DNS resolver in my configuration, but I can’t verify this hypothesis since it is hard to reproduce this issue. Any thoughts or pointers on this? Your help is very much appreciated!
For the reference: I have used webroot plugin to obtain a certificate. I use the latest version of certbot (0.21.1) on Ubuntu 17.10 x64.