Wired issue using OCSP stapling


#1

OS: CentOS 7.2
Webserver: Nginx 1.11.4

Hi LE community, I’m seeing a very wired issue with OCSP stapling enabled. I’m running a local DNS server (unbound) to cache DNS queries. Unbound forwards these queries if they haven’t been cached yet. I used to forward them to the Google DNS (8.8.8.8/8.8.4.4) but recently switched to OpenDNS. The ocsp resolver in the nginx configuration is obvisiouly set to 127.0.0.1. This is the nginx ocsp configuration part:

# OCSP
ssl_stapling            on;
ssl_stapling_verify     on;
ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;
resolver                127.0.0.1 [::1] valid=300s;
resolver_timeout        5s;

After setting the OpenDNS IPs in /etc/unbound/unbound.conf I ran nginx -t at some point. This gave me the following error:

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org/"

I noticed that this issue occurs when I use OpenDNS to forward queries. Changing back to Google to forward queries and restarting unbound solves this problem. But that’s not what I want. I want to use OpenDNS AND OCSP stapling.

Can someone help me with this? I have tried to find out whats the problem but haven’t found a solution yet.


#2

You could try complaining to OpenDNS but I don’t expect it to help.


#3

You’ve isolated this to an OpenDNS issue, so I’d go with what tialaramex said.

  1. Open ticket with OpenDNS to fix their code.

  2. Use Google, till OpenDNS is fixed.

Likely OpenDNS will never fix their code, so likely you’ll be using Google… if OCSP stapling performance has high priority for you…


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.