My server has been physically moved to a new rack with a new IP address, and now I'm getting OCSP errors? Could it be an IPv6 thing maybe?

Codemonkey

9/13/23, 7:22 AM

I'm pretty sure SSL certificates are almost always tied to a domain name rather than an IP address. And the vast majority of my traffic is unaffected, generally things are working well.

However, my php error log is now full of a lot of this (getting a few per hour):

2022/05/13 00:35:58 [error] 79815#79815:
    connect() to [2606:4700:4400::ac40:9bbc]:80 failed
    (101: Network is unreachable)
    while requesting certificate status,
    responder: ocsp.sectigo.com,
    peer: [2606:4700:4400::ac40:9bbc]:80, certificate: 
    "/etc/nginx/ssl/mysite_com/ssl-bundle.crt"

I'm wondering if it means I haven't correctly configured ipv6, but frankly I have no idea how to even test if that's the case, or to go about doing that...

...additionally, if that is the issue why am I only getting a couple of these per hour, when my pageviews number in the 10s-100s per minute?

I'm running Centos 8 Stream.

0 + 0

ipv6

ssl-certificate

ocsp

ssl-certificate-errors

Rob

9/13/23, 9:58 AM

I would expect to see OSCP related events only intermittently because for [OCSP stapling](https://en.wikipedia.org/wiki/OCSP_stapling) your server queries the OCSP server at regular intervals, not for every request made to your website. As to why it fails, IPv6 connectivity may be one issue

Codemonkey

9/13/23, 1:15 PM

What's easier - disabling ipv6, or making it work? And can you guide me in either...?

Codemonkey

9/13/23, 1:32 PM

I may have fixed it, maybe. I was specifying 1c55:3f2:243:47c0::/64 where I meant 1c55:3f2:243:47c0::2/64 (with a 2 before the /64) [that's an otherwise-fictional address for the purpose of this post, of course]

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: My server has been physically moved to a new rack with a new IP address, and now I'm getting OCSP errors? Could it be an IPv6 thing maybe?

TH: เซิร์ฟเวอร์ของฉันถูกย้ายไปยังชั้นวางใหม่ด้วยที่อยู่ IP ใหม่ และตอนนี้ฉันได้รับข้อผิดพลาด OCSP หรือไม่ อาจเป็นสิ่งที่ IPv6 ได้หรือไม่

RO: Serverul meu a fost mutat fizic într-un rack nou cu o nouă adresă IP și acum primesc erori OCSP? Poate fi vorba despre IPv6?

RU: Мой сервер был физически перемещен в новую стойку с новым IP-адресом, и теперь я получаю ошибки OCSP? Может дело в IPv6?

VI: Máy chủ của tôi đã được chuyển sang một giá đỡ mới với địa chỉ IP mới và hiện tại tôi đang gặp lỗi OCSP? Nó có thể là một thứ IPv6 không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.