3

I'm intermittently seeing errors such as the following in my nginx error logs:

OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: ocsp.comodoca.com

What can I need to do to fix these?

I feel the server at comodoca.com is reliable, so it's probably some other misconfiguration? I'm using a public cert from a third party CA. I got it here.

I'm attaching my nginx conf below:

server {

    server_name example.com;
    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl/cert_chain.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:1250m;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';

    # OCSP Stapling ---
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/ssl/example_com.ca-bundle;

    add_header Strict-Transport-Security "max-age=2592000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    charset utf-8;
    underscores_in_headers on;

    limit_conn conn_limit_per_ip 10;
    limit_req zone=req_limit_per_ip burst=20;

    # write error log file for https errors:
    error_log /var/log/nginx/https-error_log warn;


    location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { 

    root /home/user/folder/myapp; 
    access_log off;
    expires 30d;
    add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";

    }

. . .
}
Hassan Baig
  • 2,325
  • 12
  • 29
  • 48
  • Is your host ipv6 only ? – krisFR Sep 23 '17 at 18:46
  • no its not ipv6 only – Hassan Baig Sep 23 '17 at 18:49
  • Ok, i can see a brunch of reasons. First can you try to add a `resolver` directive ? – krisFR Sep 23 '17 at 18:56
  • Ah the infamous `resolver` is back. What should it point to? – Hassan Baig Sep 23 '17 at 19:24
  • Sorry, i finally don't think `resolver` has something to do with it. But it may. I was previously thinking about this recent bug report https://trac.nginx.org/nginx/ticket/1330 (ticket https://community.letsencrypt.org/t/letsencrypt-nginx-on-a-ipv6-only-server-ocsp-responder-timed-out/40755). I realize that a detailed debug process in comments would be too long. You should perform first step debugging, analyzing/sniffing DNS trafic. – krisFR Sep 23 '17 at 20:08

0 Answers0