i run
nginx -v
nginx version: nginx/1.23.3 (Local Build)
nginx is launched on boot with a systemd service
my site's ssl enabled, using letsencrypt certs
in my boot logs, i see
Feb 15 11:54:03 svr017 nginx[912]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org/" in the certificate "/sec/svr017/fullchain.ec.crt.pem"
nginx site config includes
ssl_trusted_certificate "/sec/svr017/intermediate_ca.ec.crt.pem";
ssl_certificate "/sec/svr017/fullchain.ec.crt.pem";
ssl_certificate_key "/sec/svr017/priv.ec.key";
ssl_stapling on;
ssl_stapling_verify on;
ssl_ocsp on;
ssl_ocsp_cache shared:OCSP:10m;
ssl_stapling_responder http://r3.o.lencr.org/;
ssl_ocsp_responder http://r3.o.lencr.org/;
checking the cert
openssl x509 -noout -text -in /sec/svr017/fullchain.ec.crt.pem | grep -i ocsp -A2 -B1
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
from the host
dig A r3.o.lencr.org +short
o.lencr.edgesuite.net.
a1887.dscq.akamai.net.
23.215.130.112
23.215.130.106
23.215.130.113
23.215.130.88
telnet -4 r3.o.lencr.org 80
Trying 23.63.77.32...
Connected to r3.o.lencr.org.
Escape character is '^]'.
curl -Ii http://r3.o.lencr.org/
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=5863
Expires: Wed, 15 Feb 2023 18:52:39 GMT
Date: Wed, 15 Feb 2023 17:14:56 GMT
Connection: keep-alive
is this warning due to a nginx misconfig? or a cert issue?
Hello!
On Wed, Feb 15, 2023 at 12:25:09PM -0500, PGNet Dev wrote:
> i run
>
> nginx -v
> nginx version: nginx/1.23.3 (Local Build)
>
> nginx is launched on boot with a systemd service
>
> my site's ssl enabled, using letsencrypt certs
>
> in my boot logs, i see
>
> Feb 15 11:54:03 svr017 nginx[912]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org/" in the certificate "/sec/svr017/fullchain.ec.crt.pem"
[...]
> is this warning due to a nginx misconfig? or a cert issue?
The error message suggests there is something wrong with DNS on
your host.
If this happens only on boot but not when you restart/reload nginx
after boot, this might indicate that DNS is not yet properly
available when nginx starts. One possible reason is that nginx
systemd service is not properly configured to depend on DNS being
available: for nginx to start properly you may want to ensure that
there is Wants= and After= dependency on network-online.target,
and After= dependency on nss-lookup.target, see nginx.service as
shipped by nginx.org nginx packages[1] for an example.
[1] http://hg.nginx.org/pkg-oss/file/tip/debian/debian/nginx.service
--
Maxim Dounin
http://mdounin.ru/
hi,
> The error message suggests there is something wrong with DNS on> your host.
> If this happens only on boot but not when you restart/reload nginx
> after boot,
ah. testing, yep, that does seem to be the case
> this might indicate that DNS is not yet properly
> available when nginx starts. One possible reason is that nginx
> systemd service is not properly configured to depend on DNS being
> available: for nginx to start properly you may want to ensure that
> there is Wants= and After= dependency on network-online.target,
> and After= dependency on nss-lookup.target, see nginx.service as
> shipped by nginx.org nginx packages[1] for an example.
i'd added/use unbound as local resolver.
changing both
edit /etc/systemd/system/nginx.service
- After=network-online.target
- Wants=network-online.target
+ After=network-online.target nss-lookup.target unbound.target
+ Wants=network-online.target nss-lookup.target unbound.target
and
edit /etc/systemd/system/nginx.service
- networks: files dns
+ networks: dns files
does the trick.
i wasn't noticing any DNS issues anywhere (else); just this ocsp fail. good catch, thx!
o/