OCSP Stapling Issues - "ocsp.int-x3.letsencrypt.org could not be resolved"

[isaac-mason]

Using the latest version of this image, it appears there are issues with OCSP stapling.

Using this proxy, the following error message is shown on Firefox: Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

The docker logs show this error message shortly after generating the certificates: [error] 376#376: ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/etc/nginx/certs/<...>.crt"

This is how I am using the proxy image in a docker-compose configuration:

version: '3.7'

x-logging:
  &default-logging
  options:
    max-size: '20mb'
    max-file: '5'
  driver: json-file

networks:
  default:

services:
  main:
    image: neilpang/letsproxy:latest
    container_name: proxy
    restart: on-failure
    ports:
    - 443:443
    - 80:80
    volumes:
    - /var/run/docker.sock:/tmp/docker.sock:ro
    - /data/proxy/certs:/etc/nginx/certs
    - /data/proxy/acme:/acmecerts
    depends_on:
      - web
    networks:
      - default
    logging: *default-logging
  web:
    image: <...>    
    container_name: web
    restart: on-failure
    environment:
      VIRTUAL_HOST: example.com
      ENABLE_ACME: 'true'
    depends_on:
      - web
    networks:
      - default
    logging: *default-logging

It would be great to get a response on whether this is a usage issue, or a problem with this docker image.

[SHctt]

check the firewall?

[JonathanHolvey]

I think the work-around for this was to use a different reverse proxy, for example jwilder/nginx-proxy

[isaac-mason]

Yep, in the end I used jwilder/nginx-proxy, plus nginx-proxy/acme-companion to generate certs.