OS: CentOS 7.2
Webserver: Nginx 1.11.4
Hi LE community, I’m seeing a very wired issue with OCSP stapling enabled. I’m running a local DNS server (unbound) to cache DNS queries. Unbound forwards these queries if they haven’t been cached yet. I used to forward them to the Google DNS (8.8.8.8/8.8.4.4) but recently switched to OpenDNS. The ocsp resolver in the nginx configuration is obvisiouly set to 127.0.0.1. This is the nginx ocsp configuration part:
# OCSP
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;
resolver 127.0.0.1 [::1] valid=300s;
resolver_timeout 5s;
After setting the OpenDNS IPs in /etc/unbound/unbound.conf
I ran nginx -t
at some point. This gave me the following error:
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org/"
I noticed that this issue occurs when I use OpenDNS to forward queries. Changing back to Google to forward queries and restarting unbound solves this problem. But that’s not what I want. I want to use OpenDNS AND OCSP stapling.
Can someone help me with this? I have tried to find out whats the problem but haven’t found a solution yet.