question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status

See original GitHub issue

There seems to be an error with the DNS resolver every now and then, when using nginx-proxy together with docker-letsencrypt-nginx-proxy-companion. Nginx will say this:

2019/03/21 15:48:15 [warn] 9#9: no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/etc/nginx/certs/*******.com.crt"

And the https node will stay offline (status 502). I deploy again, and then it goes fine.

Unfortunately this is not easily reproducible. It seems to happen randomly. Sometimes everything works as expected, and sometimes I need to deploy two or three times before this error disappears and the upstream node will become available.

I have initially reported this at https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/issues/524

Today I received this from a different app on deploy:

2019/03/27 18:06:43 [warn] 8#8: no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/etc/nginx/certs/<VIRTUAL_HOST>.crt"
2019/03/27 18:06:46 [error] 8#8: *1 connect() failed (113: No route to host) while connecting to upstream, client: <SERVER_PUBLIC_IP>, server: <VIRTUAL_HOST>, request: "GET / HTTP/2.0", upstream: "<VIRTUAL_HOST_IP>", host: "<VIRTUAL_HOST>"

I am not sure the second message is always there.

Here is the abridged docker-compose.yml for the latter:

version: "3.5"

services:
    dashboard:
        image: redsandro/dashboard
        container_name: rs-dashboard
        depends_on:
            - nginx
            - nginx-gen
            - nginx-letsencrypt
        networks:
            - proxy
        environment:
            VIRTUAL_HOST: dashboard.example.com
            VIRTUAL_PORT: 8080
            LETSENCRYPT_HOST: dashboard.example.com
            LETSENCRYPT_EMAIL: email@example.com

    api:
        image: redsandro/api
        container_name: rs-api
        depends_on:
            - db
        networks:
            - proxy
        ports:
            - '25:25'
        environment:
            VIRTUAL_HOST: api.example.com
            VIRTUAL_PORT: 9080
            LETSENCRYPT_HOST: api.example.com
            LETSENCRYPT_EMAIL: email@example.com

    db:
        image: mongo:4.0
        container_name: rs-db
        restart: always

    nginx:
        image: nginx
        container_name: nginx
        restart: always
        networks:
            - proxy
        ports:
            - 80:80
            - 443:443
        volumes:
            - conf.d:/etc/nginx/conf.d
            - vhost.d:/etc/nginx/vhost.d
            - html:/usr/share/nginx/html
            - certs:/etc/nginx/certs
    nginx-gen:
        image: jwilder/docker-gen
        container_name: nginx-gen
        command: -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
        restart: always
        networks:
            - proxy
        volumes:
            - conf.d:/etc/nginx/conf.d
            - vhost.d:/etc/nginx/vhost.d
            - html:/usr/share/nginx/html
            - certs:/etc/nginx/certs
            - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
            - /var/run/docker.sock:/tmp/docker.sock:ro
    nginx-letsencrypt:
        image: jrcs/letsencrypt-nginx-proxy-companion
        container_name: nginx-letsencrypt
        restart: unless-stopped
        volumes:
            - conf.d:/etc/nginx/conf.d
            - vhost.d:/etc/nginx/vhost.d
            - html:/usr/share/nginx/html
            - certs:/etc/nginx/certs
            - /var/run/docker.sock:/var/run/docker.sock:ro
        environment:
            NGINX_DOCKER_GEN_CONTAINER: nginx-gen
            NGINX_PROXY_CONTAINER: nginx

networks:
    proxy:
        external:
            name: proxy

volumes:
    conf.d:
    vhost.d:
    html:
    certs:

Issue Analytics

  • State:open
  • Created 4 years ago
  • Comments:10

github_iconTop GitHub Comments

7reactions
xjhandongqicommented, Jun 6, 2019

where are you from?

1reaction
areaeurocommented, Sep 22, 2019

Hi @dm17

To answer you first questions, if you study @Redsandro initial post, you will see in the docker file that he is “persisting” the nginx proxy config files, so they are visible to you on the docker host, outside of the container. As to how to set the environment variables, there is also an example in the initial post, under the nginx-letsencryp section of the docker-compose file.

In terms of docker-compose down and docker-compose up not making any changes, this is the way it is supposed to work, to make docker-compose apply the changes you made in the docker.compose.yml file, use the --force-recreate option: docker-compose up --force-recreate If it does not complain, take it down the bring it back up in the background wth the -d option.

I would recommend that you consult the docker-compose documentation if you are unclear of how all this works. https://docs.docker.com/compose/

Read more comments on GitHub >

github_iconTop Results From Across the Web

No resolver defined to resolve ocsp.int-x3.letsencrypt.org ...
Seeing quite a few of these in my server error log: no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate ...
Read more >
no resolver defined to resolve ocsp.int-x3.letsencrypt ... - GitHub
And the https node will stay offline (status 502). I deploy again, and then it goes fine. Unfortunately this is not easily reproducible....
Read more >
No resolver defined to resolve ocsp.int-x3.letsencrypt.org ...
No resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org.
Read more >
Solved - SSL Letsencrypt Problem | 3CX Forums
Hi, the SSL Certificate can't be renewed. ... 2365#2365: OCSP response not successful (6: unauthorized) while requesting certificate status, ...
Read more >
no resolver defined to resolve ocsp.int-x3 ... - 잡동사니 지식박스
no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status. 빅파워 2017. 9. 28. 08:25. openssl 적용후.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found