Ocsp.int-x3.letsencrypt.org could not be resolved (2)

strarsis · October 14, 2020, 6:13pm

Had this errors in nginx log again:

ocsp.int-x3.letsencrypt.org could not be resolved

Related: Ocsp.int-x3.letsencrypt.org could not be resolved

nginx uses the nameserver from /etc/resolv.conf.
The /etc/resov.conf of that Trellis server:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53

That is indeed a functioning DNS server, a systemd DNS resolver (I know, I know…):
dig @127.0.0.53 google.com for example works fine.
However, when I do a DNS lookup for ocsp.int-x3.letsencrypt.org I get a response with “akamai”.
Which is a CDN that apparently uses some optimizations that cause issues with nginx OCSP (according to some related forum discussions).

dig @127.0.0.53 ocsp.int-x3.letsencrypt.org
[redacted]
;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 3079 IN    CNAME   ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 1614 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.   2       IN      A       2.16.107.43
a771.dscq.akamai.net.   2       IN      A       2.16.107.114

As a general question: What DNS servers are good for web sites? Google Public DNS? Open DNS?

morcth · November 20, 2020, 5:09pm

Hello,

Did you figure this out? It is showing up on all my new Digital Ocean servers created in the last 2 months.

Thanks!
Josh

strarsis · November 20, 2020, 6:01pm

This has something to do with the DNS resolver that the server is using, notably nginx, when it has to handle OCSP.
The DNS server provided by the cloud provider seems to resolve incorrectly or unexpectedly for ocsp.int-x3.letsencrypt.org.

morcth · November 20, 2020, 7:07pm

Did you figure out a fix so these servers allow cert generation?

Thanks.

morcth · November 20, 2020, 7:50pm

I have a feeling that this is because I created the servers without ip6 support. Just added it to one and will see on Monday if this fixed it.

strarsis · November 20, 2020, 8:28pm

The system on which this happened to me was IPv4-only.

swalkinshaw · November 21, 2020, 3:33am

Good question. I’ve honestly never really changed DNS servers on a web server since they’re usually hosted on large providers who I figure wouldn’t have issues like this.

I assume Google or Cloudflare would be good options just like they are on personal computers.

morcth · November 23, 2020, 3:17pm

Following up here if anyone comes across this.

It looks like enabling ipv6 on my DO servers fixed this issue for me. I never clicked the ipv6 box when provisioning new servers and it seems that this is necessary at this point.

Thanks,
Josh

system · November 25, 2020, 6:13pm

This topic was automatically closed after 42 days. New replies are no longer allowed.