Had this errors in nginx log again:
ocsp.int-x3.letsencrypt.org could not be resolved
nginx uses the nameserver from
/etc/resov.conf of that Trellis server:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN # 127.0.0.53 is the systemd-resolved stub resolver. # run "systemd-resolve --status" to see details about the actual nameservers. nameserver 127.0.0.53
That is indeed a functioning DNS server, a systemd DNS resolver (I know, I know…):
dig @127.0.0.53 google.com for example works fine.
However, when I do a DNS lookup for
ocsp.int-x3.letsencrypt.org I get a response with “akamai”.
Which is a CDN that apparently uses some optimizations that cause issues with nginx OCSP (according to some related forum discussions).
dig @127.0.0.53 ocsp.int-x3.letsencrypt.org [redacted] ;; ANSWER SECTION: ocsp.int-x3.letsencrypt.org. 3079 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. ocsp.int-x3.letsencrypt.org.edgesuite.net. 1614 IN CNAME a771.dscq.akamai.net. a771.dscq.akamai.net. 2 IN A 220.127.116.11 a771.dscq.akamai.net. 2 IN A 18.104.22.168
As a general question: What DNS servers are good for web sites? Google Public DNS? Open DNS?