"ssl_stapling" ignored warning on boot with LE certs?
Maxim Dounin
mdounin at mdounin.ru
Thu Feb 16 13:59:35 UTC 2023
Hello!
On Wed, Feb 15, 2023 at 12:25:09PM -0500, PGNet Dev wrote:
> i run
>
> nginx -v
> nginx version: nginx/1.23.3 (Local Build)
>
> nginx is launched on boot with a systemd service
>
> my site's ssl enabled, using letsencrypt certs
>
> in my boot logs, i see
>
> Feb 15 11:54:03 svr017 nginx[912]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org/" in the certificate "/sec/svr017/fullchain.ec.crt.pem"
[...]
> is this warning due to a nginx misconfig? or a cert issue?
The error message suggests there is something wrong with DNS on
your host.
If this happens only on boot but not when you restart/reload nginx
after boot, this might indicate that DNS is not yet properly
available when nginx starts. One possible reason is that nginx
systemd service is not properly configured to depend on DNS being
available: for nginx to start properly you may want to ensure that
there is Wants= and After= dependency on network-online.target,
and After= dependency on nss-lookup.target, see nginx.service as
shipped by nginx.org nginx packages[1] for an example.
[1] http://hg.nginx.org/pkg-oss/file/tip/debian/debian/nginx.service
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list