Had this errors in nginx log again:
ocsp.int-x3.letsencrypt.org could not be resolved
Related: Ocsp.int-x3.letsencrypt.org could not be resolved
nginx uses the nameserver from
/etc/resov.conf of that Trellis server:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
That is indeed a functioning DNS server, a systemd DNS resolver (I know, I know…):
dig @127.0.0.53 google.com for example works fine.
However, when I do a DNS lookup for
ocsp.int-x3.letsencrypt.org I get a response with “akamai”.
Which is a CDN that apparently uses some optimizations that cause issues with nginx OCSP (according to some related forum discussions).
dig @127.0.0.53 ocsp.int-x3.letsencrypt.org
;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 3079 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 1614 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net. 2 IN A 220.127.116.11
a771.dscq.akamai.net. 2 IN A 18.104.22.168
As a general question: What DNS servers are good for web sites? Google Public DNS? Open DNS?
Did you figure this out? It is showing up on all my new Digital Ocean servers created in the last 2 months.
This has something to do with the DNS resolver that the server is using, notably nginx, when it has to handle OCSP.
The DNS server provided by the cloud provider seems to resolve incorrectly or unexpectedly for ocsp.int-x3.letsencrypt.org.
Did you figure out a fix so these servers allow cert generation?
I have a feeling that this is because I created the servers without ip6 support. Just added it to one and will see on Monday if this fixed it.
The system on which this happened to me was IPv4-only.
Good question. I’ve honestly never really changed DNS servers on a web server since they’re usually hosted on large providers who I figure wouldn’t have issues like this.
I assume Google or Cloudflare would be good options just like they are on personal computers.
Following up here if anyone comes across this.
It looks like enabling ipv6 on my DO servers fixed this issue for me. I never clicked the ipv6 box when provisioning new servers and it seems that this is necessary at this point.
This topic was automatically closed after 42 days. New replies are no longer allowed.