Does anyone have a difficulty with resolution DNSR11.O.LENCR.ORG?

Community Support DNS
1

Hi, after the new Hestia 1.9.2 installation on Debian 12, I see such errors in the logs, but as I see DNS permits normally. Perhaps someone will tell you where this settings and address (R11.O.lencr.org), and it is always only this one. Thank you
At the same time, a manual certificate is issued normally.

2025/02/10 11:15:06 [error] 149893#149893: r11.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r11.o.lencr.org, certificate: "/home/user/conf/web/quantumtransition.angellive.ru/ssl/quantumtransition.angellive.ru.pem"
2025/02/10 14:15:06 [error] 149893#149893: r11.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r11.o.lencr.org, certificate: "/home/user/conf/web/quantumtransition.angellive.ru/ssl/quantumtransition.angellive.ru.pem"
2025/02/10 15:37:59 [error] 149893#149893: r11.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r11.o.lencr.org, certificate: "/home/user/conf/web/quantumtransition.angellive.ru/ssl/quantumtransition.angellive.ru.pem"
2025/02/10 17:30:38 [error] 149893#149893: r11.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r11.o.lencr.org, certificate: "/home/user/conf/mail/angellive.ru/ssl/angellive.ru.pem"
2025/02/10 19:15:06 [error] 149893#149893: r11.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r11.o.lencr.org, certificate: "/home/user/conf/web/quantumtransition.angellive.ru/ssl/quantumtransition.angellive.ru.pem"
2025/02/10 20:54:30 [error] 149893#149893: r11.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r11.o.lencr.org, certificate: "/home/user/conf/web/opensource.angellive.ru/ssl/opensource.angellive.ru.pem"

traceroute r11.o.lencr.org
traceroute to r11.o.lencr.org (2.16.20.75), 30 hops max, 60 byte packets
 1  _gateway (100.100.1.1)  0.167 ms  0.171 ms  0.072 ms
 2  * * *
 3  10.255.254.5 (10.255.254.5)  0.382 ms  0.311 ms  0.324 ms
 4  10.255.200.36 (10.255.200.36)  10.576 ms  10.531 ms  10.557 ms
 5  * * *
 6  188.128.126.145 (188.128.126.145)  19.542 ms  18.140 ms  19.517 ms
 7  a2-16-20-75.deploy.static.akamaitechnologies.com (2.16.20.75)  25.118 ms  18.047 ms  18.031 ms

curl -I http://r11.o.lencr.org
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=19050
Expires: Wed, 12 Feb 2025 00:04:57 GMT
Date: Tue, 11 Feb 2025 18:47:27 GMT
Connection: keep-alive

nslookup r11.o.lencr.org
Server:         223.5.5.5
Address:        223.5.5.5#53

Non-authoritative answer:
r11.o.lencr.org canonical name = o.lencr.edgesuite.net.
o.lencr.edgesuite.net   canonical name = a1887.dscq.akamai.net.
Name:   a1887.dscq.akamai.net
Address: 2.16.20.59
Name:   a1887.dscq.akamai.net
Address: 2.16.20.75
Name:   a1887.dscq.akamai.net
Address: 2a01:620:1:a0ac::210:143b
Name:   a1887.dscq.akamai.net
Address: 2a01:620:1:a0ac::210:144b
2

Hi @bestperson

I’ve no such issues.

Check which resolvers are used by Nginx, some of them might be having issues resolving requests or taking longer than the defined resolver_timeout.

grep -r resolver /etc/nginx/nginx.conf

Additionally, if you only use Let’s Encrypt certificates, you can start disabling OCSP in Nginx. Let’s Encrypt will stop supporting OCSP, so you can skip it.

To disable OCSP in Nginx, you’ll need to update the templates and change ssl_stapling on; to ssl_stapling off;.

1 Like
3

Thank you
Replaced with Open DNS, ssl_stapling_verify I think also off?

    ssl_stapling        off;
    ssl_stapling_verify on;

Then it seems to be worth changing the Hestia template, since this year users will face it.

4

Then we need to change it every where …

5

What do you mean? In Hestia or in the world?)

Снимок экрана_20250211_225808
Снимок экрана_20250211_2258081723×855 183 KB

6

Pasting broke the link… Try removing the + sign in the search box

7

In my file nginx/nginx.conf debian 12, this is not, I did not change anything. Now I changed only in the WP template. I suppose I don’t have this , and if there is then, apparently if you can’t change the repository, then you will have to change each update.

# Server globals
user                 www-data;
worker_processes     auto;
worker_rlimit_nofile 65535;
error_log            /var/log/nginx/error.log;
pid                  /run/nginx.pid;
include              /etc/nginx/conf.d/main/*.conf;
include              /etc/nginx/modules-enabled/*.conf;

# Worker config
events {
	worker_connections 1024;
	use                epoll;
	multi_accept       on;
}

http {
	# Main settings
	sendfile                        on;
	tcp_nopush                      on;
	tcp_nodelay                     on;
	client_header_timeout           180s;
	client_body_timeout             180s;
	client_header_buffer_size       2k;
	client_body_buffer_size         256k;
	client_max_body_size            1024m;
	large_client_header_buffers     4 8k;
	send_timeout                    60s;
	keepalive_timeout               30s;
	keepalive_requests              1000;
	reset_timedout_connection       on;
	server_tokens                   off;
	server_name_in_redirect         off;
	server_names_hash_max_size      512;
	server_names_hash_bucket_size   512;
	charset                         utf-8;
	# FastCGI settings
	fastcgi_buffers                 512 4k;
	fastcgi_buffer_size             256k;
	fastcgi_busy_buffers_size       256k;
	fastcgi_temp_file_write_size    256k;
	fastcgi_connect_timeout         30s;
	fastcgi_read_timeout            300s;
	fastcgi_send_timeout            180s;
	fastcgi_cache_lock              on;
	fastcgi_cache_lock_timeout      5s;
	fastcgi_cache_background_update on;
	fastcgi_cache_revalidate        on;
	# Proxy settings
	proxy_redirect                  off;
	proxy_set_header                Host $host;
	proxy_set_header                Early-Data $rfc_early_data;
	proxy_set_header                X-Real-IP $remote_addr;
	proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass_header               Set-Cookie;
	proxy_buffers                   256 4k;
	proxy_buffer_size               32k;
	proxy_busy_buffers_size         32k;
	proxy_temp_file_write_size      256k;
	proxy_connect_timeout           30s;
	proxy_read_timeout              300s;
	proxy_send_timeout              180s;
	# Log format
	log_format                      main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
	log_format                      bytes '$body_bytes_sent';
	log_not_found                   off;
	access_log                      off;
	# Mime settings
	include                         /etc/nginx/mime.types;
	default_type                    application/octet-stream;
	# Compression
	gzip                            on;
	gzip_vary                       on;
	gzip_static                     on;
	gzip_comp_level                 6;
	gzip_min_length                 1024;
	gzip_buffers                    128 4k;
	gzip_http_version               1.1;
	gzip_types                      text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
	gzip_proxied                    any;
	# Cloudflare IPs
	include                         /etc/nginx/conf.d/cloudflare.inc;
	# SSL PCI compliance
	ssl_buffer_size                 1369;
	ssl_ciphers                     "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
	ssl_dhparam                     /etc/ssl/dhparam.pem;
	ssl_early_data                  on;
	ssl_ecdh_curve                  auto;
	ssl_prefer_server_ciphers       on;
	ssl_protocols                   TLSv1.3;
	ssl_session_cache               shared:SSL:20m;
	ssl_session_tickets             on;
	ssl_session_timeout             7d;
	resolver                        208.67.222.222 223.5.5.5 212.109.195.93 valid=300s ipv6=off;
	resolver_timeout                5s;
	# Error pages
	error_page                      403 /error/404.html;
	error_page                      404 /error/404.html;
	error_page                      410 /error/410.html;
	error_page                      500 501 502 503 504 505 /error/50x.html;
	# Proxy cache
	proxy_cache_path                /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
	proxy_cache_key                 "$scheme$request_method$host$request_uri";
	proxy_temp_path                 /var/cache/nginx/temp;
	proxy_ignore_headers            Cache-Control Expires;
	proxy_cache_use_stale           error timeout invalid_header updating http_502;
	proxy_cache_valid               any 1d;
	# FastCGI cache
	fastcgi_cache_path              /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;
	fastcgi_cache_key               "$scheme$request_method$host$request_uri";
	fastcgi_ignore_headers          Cache-Control Expires Set-Cookie;
	fastcgi_cache_use_stale         error timeout invalid_header updating http_500 http_503;
	add_header                      X-FastCGI-Cache $upstream_cache_status;

	# Cache bypass
	map $http_cookie $no_cache {
		default              0;
		~SESS                1;
		~wordpress_logged_in 1;
	}

	# File cache (static assets)
	open_file_cache                 max=10000 inactive=30s;
	open_file_cache_valid           60s;
	open_file_cache_min_uses        2;
	open_file_cache_errors          off;
	# Wildcard include
	include                         /etc/nginx/conf.d/*.conf;
	include                         /etc/nginx/conf.d/domains/*.conf;
}

Although, as I see, it is in [Hestia repositories] (hestiacp/src/deb/nginx/nginx.conf at main · hestiacp/hestiacp · GitHub)
Perhaps I get mistakes because these directives are not in the main file

8

You can change it, but if ssl_stapling is off, Nginx won’t use or verify it.

Not really. If users are using any other CA that relies on OCSP, they may want to continue using it. However, it doesn’t matter that Let’s Encrypt will end support for OCSP, they simply won’t add the extension to the certificates. As a result, Nginx will silently ignore the verification, even if ssl_stapling is turned on.

Additionally, if some users obtain certificates with the must-staple extension, disabling stapling would make their sites unreachable.

That said, I wouldn’t modify ssl_stapling; it’s fine to leave it enabled.

1 Like
9

So maybe the error is still due to the fact that my main nginx file does not have these directives, and they should be added there?

10

No, the error is because Nginx has OCSP active (ssl_stapling), your certificates have the OCSP extension, so Nginx tries to get the OCSP response using the dns servers used in resolver directive and for some reason thoses resolvers couldn’t resolve the r11.o.letsencrypt.org domain (OCSP domain used in your certificates).

So, in your case, if you don’t want to see those errors, you can turn off ssl_stapling for your domains. You don’t need to add the directive in global nginx.conf because it will be overrided by your web domains conf.

1 Like
11

Hello, today I see this mistake again, maybe this is some kind of reverse request?). As you can see now the request does not request any domain
/var/log/heestia

2025/02/15 23:21:11 [error] 807#0: r11.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r11.o.lencr.org, certificate: "/usr/local/hestia/ssl/certificate.crt"
12

If you see that error in /var/log/hestia/ is because you didn’t disable ssl_stapling in the nginx used by Hestia /usr/local/hestia/nginx/conf/nginx.conf. Once modified, restart it systemctl restart hestia

1 Like
13

Thank you very much!

1 Like