Had this errors in nginx log again:
ocsp.int-x3.letsencrypt.org could not be resolved
Related: Ocsp.int-x3.letsencrypt.org could not be resolved
nginx
uses the nameserver from /etc/resolv.conf
.
The /etc/resov.conf
of that Trellis server:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.53
That is indeed a functioning DNS server, a systemd DNS resolver (I know, I know…):
dig @127.0.0.53 google.com
for example works fine.
However, when I do a DNS lookup for ocsp.int-x3.letsencrypt.org
I get a response with “akamai”.
Which is a CDN that apparently uses some optimizations that cause issues with nginx OCSP (according to some related forum discussions).
dig @127.0.0.53 ocsp.int-x3.letsencrypt.org
[redacted]
;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 3079 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 1614 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net. 2 IN A 2.16.107.43
a771.dscq.akamai.net. 2 IN A 2.16.107.114
As a general question: What DNS servers are good for web sites? Google Public DNS? Open DNS?