Wasasando

nginx: [warn] “ssl_stapling” ignored, host not found in OCSP responder “r3.o.lencr.org” in the certificate

Also posted on: [https://unix.stackexchange.com/questions/709950/nginx-warn-ssl-stapling-ignored-host-not-found-in-ocsp-responder-r3-o-len](https://unix.stackexchange.com/questions/709950/nginx-warn-ssl-stapling-ignored-host-not-found-in-ocsp-responder-r3-o-len)

I updated my router firmware and it ended up killing my webserver, so I reverted back to the old firmware in hopes that it would un\*\*\*\* itself. It didn't.

So now I'm battling an issue where I'm probably at my wits end, I cannot make it work. All my applications running in the background are working fine and internet/LAN is working aswell.

Whenever I try to start up the nginx web server it returns with this OCSP responder message and I have tried changing things but to no avail. And why would I have to change anything to make it work when I didn't change anything to mess it up?

I've tried turning on the nginx debug mode and it shows me this:

2022/07/15 11:53:50 [debug] 2294#2294: *308 write new buf t:1 f:0 000055F521DAC0C0, pos 000055F521DAC0C0, size: 268 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter: l:0 f:0 s:268
2022/07/15 11:53:50 [debug] 2294#2294: *308 http output filter "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae"
2022/07/15 11:53:50 [debug] 2294#2294: *308 http copy filter: "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae"
2022/07/15 11:53:50 [debug] 2294#2294: *308 image filter
2022/07/15 11:53:50 [debug] 2294#2294: *308 xslt filter body
2022/07/15 11:53:50 [debug] 2294#2294: *308 http postpone filter "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae" 000055F521D4F2B0
2022/07/15 11:53:50 [debug] 2294#2294: *308 write old buf t:1 f:0 000055F521DAC0C0, pos 000055F521DAC0C0, size: 268 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 write new buf t:0 f:0 0000000000000000, pos 000055F520815B20, size: 116 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 write new buf t:0 f:0 0000000000000000, pos 000055F520815E20, size: 62 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter: l:1 f:0 s:446
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter limit 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 writev: 446 of 446
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter 0000000000000000
2022/07/15 11:53:50 [debug] 2294#2294: *308 http copy filter: 0 "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae"
2022/07/15 11:53:50 [debug] 2294#2294: *308 http finalize request: 0, "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae" a:1, c:1
2022/07/15 11:53:50 [debug] 2294#2294: *308 set http keepalive handler
2022/07/15 11:53:50 [debug] 2294#2294: *308 http close request
2022/07/15 11:53:50 [debug] 2294#2294: *308 http log handler
2022/07/15 11:53:50 [debug] 2294#2294: *308 free: 000055F521D4E2C0, unused: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 free: 000055F521DABCE0, unused: 2283
2022/07/15 11:53:50 [debug] 2294#2294: *308 free: 000055F521D036F0
2022/07/15 11:53:50 [debug] 2294#2294: *308 hc free: 0000000000000000
2022/07/15 11:53:50 [debug] 2294#2294: *308 hc busy: 0000000000000000 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 tcp_nodelay
2022/07/15 11:53:50 [debug] 2294#2294: *308 reusable connection: 1
2022/07/15 11:53:50 [debug] 2294#2294: *308 event timer add: 25: 75000:2596208
2022/07/15 11:55:05 [debug] 2294#2294: *308 event timer del: 25: 2596208
2022/07/15 11:55:05 [debug] 2294#2294: *308 http keepalive handler
2022/07/15 11:55:05 [debug] 2294#2294: *308 close http connection: 25
2022/07/15 11:55:05 [debug] 2294#2294: *308 reusable connection: 0
2022/07/15 11:55:05 [debug] 2294#2294: *308 free: 0000000000000000
2022/07/15 11:55:05 [debug] 2294#2294: *308 free: 000055F521DE3340, unused: 136

And this is what the normal error.log throws me through systemctl:

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate

I think it's a DNS issue but I can't figure out what by myself, according to a forum post the error message suggests there is a problem with resolution of the [r3.o.lencr.org](https://r3.o.lencr.org) name, as preformed by nginx on startup using system resolver.

My reverse config:

server {
listen 80 default_server;
#listen [::]:80 default_server;

server_name dns.name.here 192.168.0.100;

return 301 https://$server_name$request_uri;
}
upstream netdata {
server 127.0.0.1:19999;
keepalive 64;
}
server {
#-------------------- SSL CONFIG -----------------------------------

listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/dnsname/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dnsname/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/dnsname/chain.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd;
error_page 401 403 404 /404.html; error_log /var/log/nginx/nnferror.log;
# First attempt to serve request as file, then as directory, then fall back to displaying a 404.
location / {
try_files $uri $uri/ =404;
}
# Deny access to .htaccess files, if Apache's document root concurs with nginx's one
location ~ /\.ht {
deny all;
}
# Let's Encrypt Webroot plugin location -- allow access
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
autoindex on;
}

My ssl.conf:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

# Set Google's public DNS servers as upstream resolver
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

# Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc.
add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

# Use the 2048 bit DH key
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Also tried checking if I could actually communicate with [8.8.8.8](https://8.8.8.8)

dig u/8.8.8.8 r3.o.lencr.org

; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> u/8.8.8.8 r3.o.lencr.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<

Exit mobile version