OS: CentOS 7.2
Webserver: Nginx 1.11.4
Hi LE community, I’m seeing a very wired issue with OCSP stapling enabled. I’m running a local DNS server (unbound) to cache DNS queries. Unbound forwards these queries if they haven’t been cached yet. I used to forward them to the Google DNS (126.96.36.199/188.8.131.52) but recently switched to OpenDNS. The ocsp resolver in the nginx configuration is obvisiouly set to 127.0.0.1. This is the nginx ocsp configuration part:
# OCSP ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt; resolver 127.0.0.1 [::1] valid=300s; resolver_timeout 5s;
After setting the OpenDNS IPs in
/etc/unbound/unbound.conf I ran
nginx -t at some point. This gave me the following error:
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org/"
I noticed that this issue occurs when I use OpenDNS to forward queries. Changing back to Google to forward queries and restarting unbound solves this problem. But that’s not what I want. I want to use OpenDNS AND OCSP stapling.
Can someone help me with this? I have tried to find out whats the problem but haven’t found a solution yet.