Also posted on: [https://unix.stackexchange.com/questions/709950/nginx-warn-ssl-stapling-ignored-host-not-found-in-ocsp-responder-r3-o-len](https://unix.stackexchange.com/questions/709950/nginx-warn-ssl-stapling-ignored-host-not-found-in-ocsp-responder-r3-o-len)
I updated my router firmware and it ended up killing my webserver, so I reverted back to the old firmware in hopes that it would un\*\*\*\* itself. It didn't.
So now I'm battling an issue where I'm probably at my wits end, I cannot make it work. All my applications running in the background are working fine and internet/LAN is working aswell.
Whenever I try to start up the nginx web server it returns with this OCSP responder message and I have tried changing things but to no avail. And why would I have to change anything to make it work when I didn't change anything to mess it up?
I've tried turning on the nginx debug mode and it shows me this:
2022/07/15 11:53:50 [debug] 2294#2294: *308 write new buf t:1 f:0 000055F521DAC0C0, pos 000055F521DAC0C0, size: 268 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter: l:0 f:0 s:268
2022/07/15 11:53:50 [debug] 2294#2294: *308 http output filter "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae"
2022/07/15 11:53:50 [debug] 2294#2294: *308 http copy filter: "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae"
2022/07/15 11:53:50 [debug] 2294#2294: *308 image filter
2022/07/15 11:53:50 [debug] 2294#2294: *308 xslt filter body
2022/07/15 11:53:50 [debug] 2294#2294: *308 http postpone filter "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae" 000055F521D4F2B0
2022/07/15 11:53:50 [debug] 2294#2294: *308 write old buf t:1 f:0 000055F521DAC0C0, pos 000055F521DAC0C0, size: 268 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 write new buf t:0 f:0 0000000000000000, pos 000055F520815B20, size: 116 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 write new buf t:0 f:0 0000000000000000, pos 000055F520815E20, size: 62 file: 0, size: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter: l:1 f:0 s:446
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter limit 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 writev: 446 of 446
2022/07/15 11:53:50 [debug] 2294#2294: *308 http write filter 0000000000000000
2022/07/15 11:53:50 [debug] 2294#2294: *308 http copy filter: 0 "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae"
2022/07/15 11:53:50 [debug] 2294#2294: *308 http finalize request: 0, "/scrape?info_hash=%9b%3di%c5%da%0dIUt7%99%ef%c6%ff%28s%fc%81I%ae" a:1, c:1
2022/07/15 11:53:50 [debug] 2294#2294: *308 set http keepalive handler
2022/07/15 11:53:50 [debug] 2294#2294: *308 http close request
2022/07/15 11:53:50 [debug] 2294#2294: *308 http log handler
2022/07/15 11:53:50 [debug] 2294#2294: *308 free: 000055F521D4E2C0, unused: 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 free: 000055F521DABCE0, unused: 2283
2022/07/15 11:53:50 [debug] 2294#2294: *308 free: 000055F521D036F0
2022/07/15 11:53:50 [debug] 2294#2294: *308 hc free: 0000000000000000
2022/07/15 11:53:50 [debug] 2294#2294: *308 hc busy: 0000000000000000 0
2022/07/15 11:53:50 [debug] 2294#2294: *308 tcp_nodelay
2022/07/15 11:53:50 [debug] 2294#2294: *308 reusable connection: 1
2022/07/15 11:53:50 [debug] 2294#2294: *308 event timer add: 25: 75000:2596208
2022/07/15 11:55:05 [debug] 2294#2294: *308 event timer del: 25: 2596208
2022/07/15 11:55:05 [debug] 2294#2294: *308 http keepalive handler
2022/07/15 11:55:05 [debug] 2294#2294: *308 close http connection: 25
2022/07/15 11:55:05 [debug] 2294#2294: *308 reusable connection: 0
2022/07/15 11:55:05 [debug] 2294#2294: *308 free: 0000000000000000
2022/07/15 11:55:05 [debug] 2294#2294: *308 free: 000055F521DE3340, unused: 136
And this is what the normal error.log throws me through systemctl:
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate
I think it's a DNS issue but I can't figure out what by myself, according to a forum post the error message suggests there is a problem with resolution of the [r3.o.lencr.org](https://r3.o.lencr.org) name, as preformed by nginx on startup using system resolver.
My reverse config:
server {
listen 80 default_server;
#listen [::]:80 default_server;
server_name dns.name.here 192.168.0.100;
return 301 https://$server_name$request_uri;
}
upstream netdata {
server 127.0.0.1:19999;
keepalive 64;
}
server {
#-------------------- SSL CONFIG -----------------------------------
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/dnsname/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dnsname/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/dnsname/chain.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd;
error_page 401 403 404 /404.html; error_log /var/log/nginx/nnferror.log;
# First attempt to serve request as file, then as directory, then fall back to displaying a 404.
location / {
try_files $uri $uri/ =404;
}
# Deny access to .htaccess files, if Apache's document root concurs with nginx's one
location ~ /\.ht {
deny all;
}
# Let's Encrypt Webroot plugin location -- allow access
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
autoindex on;
}
My ssl.conf:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# Set Google's public DNS servers as upstream resolver
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
# Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc.
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
# Use the 2048 bit DH key
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Also tried checking if I could actually communicate with [8.8.8.8](https://8.8.8.8)
dig u/8.8.8.8 r3.o.lencr.org
; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> u/8.8.8.8 r3.o.lencr.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58758
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;r3.o.lencr.org. IN A
;; ANSWER SECTION:
r3.o.lencr.org. 120 IN CNAME o.lencr.edgesuite.net.
o.lencr.edgesuite.net. 19792 IN CNAME a1887.dscq.akamai.net.
a1887.dscq.akamai.net. 20 IN A 83.255.218.9
a1887.dscq.akamai.net. 20 IN A 83.255.218.98
;; Query time: 63 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jul 15 12:53:27 CEST 2022
;; MSG SIZE rcvd: 142
I've also tried reinstalling nginx but no success..
nginx version: nginx/1.18.0 (Ubuntu)
Ubuntu 18.04
Router: Asus AC88U with Merlin v386,5 (v387 caused the issue)
Can anyone tell me what happened here?
do you get the error when you restart nginx during normal work or during startup? Systemd may start nginx before any network is available.
In general, whole thing works for me in a very similar setup.
Also, you have ‘strong-ssl.conf’ and then you reference ‘ssl.conf’. But I guess this is just a typo.
I’m having the same issue as well!
It started 1-2 days ago and I’ve been scratching my head trying to figure it out!
From what I’ve managed to test and figure out through trial and error it feels like something possibly with the underlying OS.
Do you use Cloudflare at all for any of your sites?