Nginx is missing a resolver in the opnsense config. This causes this error below:
Quoteno resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/usr/local/etc/nginx/key/my.certificate.domain.pem"
To resolve this issue one should be able to configure a dns server in the nginx config.
DNS servers are configured globally somewhere in system settings.
As far as I know, it's not even possible to configure a DNS resolver in nginx itself.
One can be added in some nginx contexts but that's not in the UI as far as I can see so it would need a custom include I imagine.
That said, bimbar is right, and unless you have a very specific requirement to go down that route, then the name resolution should be the global one. The question is why is your nginx installation not using it. Are you using the plugin?
Quote from: bimbar on November 03, 2023, 10:13:30 AM
DNS servers are configured globally somewhere in system settings.
But aren't useful for Nginx proxy setups with split DNS or required for OCSP Stapling what the OP probably is doing.
Quote
As far as I know, it's not even possible to configure a DNS resolver in nginx itself.
https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver
Befor writing this thread of course i checked the NGINX plugin config for a resolver (also the /conf/config.xml).
Nginx doesnt use the global resolver.
The logfile i posted was from the nginx logfile.
configuring a resolver should be a part of the plugin config
technically this is not an error but a warning.
and in most cases, stapling will work without the resolver directive.
However, if you are ready to check the patch:
https://github.com/kulikov-a/plugins/commit/4c5634ad174dda9ded6af480d30d04b2ccecae14
opnsense-patch -c plugins -a kulikov-a 4c5634a
and it turns out to be working, I'll try to add it to the next pr ;)
Thank you for the patch.
If i configure "::1" as a resolver i get this error:
QuotePlease provide a valid resolver address, i.e. 8.8.8.8, [2001:4860:4860::8888], 8.8.8.8:5353.
If i dont configure any resolver is still get:
Quoteno resolver defined to resolve r3.o.lencr.org while requesting certificate status
once a resolver has been configured in nginx the warning doesnt apear again.
QuoteIf i configure "::1" as a resolver i get this error
yep, as the validation message indicates, the model expects brackets for ipv6
Quoteonce a resolver has been configured in nginx the warning doesnt apear again
sorry, so the patch works as expected or you adding 'resolver' manually?
I quickly tested it yesterday. I might be mistaken but "Uses system resolver by default." didnt work for me. Once i configured a dns server for the http-server the warning didnt appear again.
In my opinion you can add the pr.
QuoteI might be mistaken but "Uses system resolver by default." didnt work for me
yes, nginx produces
warning message in log if no 'resolver' defined but it will try to use the system resolver in this case (works fine on my tests).
but, of course, it is easy to imagine situations where a directive is desirable or necessary
Quoteyou can add the pr
for the ref. https://github.com/opnsense/plugins/pull/3678
Hi, in OPNsense 24.7_9 I have set the resolver to
127.0.0.1 [::1] in the GUI. The warning
Quote... no resolver defined to resolve r10.o.lencr.org while requesting certificate status, responder: r10.o.lencr.org, certificate: "/usr/local/etc/nginx/key/[...].pem"
still spams my nginx log though.
When using Interfaces -> Diagnostics -> DNS Lookup the domain
r10.o.lencr.org is resolved correctly.
Do you have any suggestions for further trouble shooting?
Hi!
sorry, have you assigned this resolver to the server with this LE cert?
Hi, no. Thanks for the hint, that did the trick. I didn't see this setting, because it is hidden by default (advanced settings). May I ask, what the use case for setting this on a per server basis is? I really whish there would be a "multi edit" action for servers, locations etc.
Maybe it would be a good idea to set the resolver to "127.0.0.1, [::1]" for a HTTP Server if "None" is selected to mitigate the unnescessary warnings in the log.
Hi
the specified resolver can be used not only by ssl_stapling, so I wanted to leave the possibility of more fine-tuning than specifying it at the global level. (there is a http_post/*.conf hook at the global level. Advanced users can define a global parameter with it).
Maybe it would be a good idea to set the resolver to "127.0.0.1, [::1]" for a HTTP Server if "None" is selected to mitigate the unnescessary warnings in the log.
my logic is - if the message bothers, the user can configure the resolver. if not - user can always filter the logs and not show messages below the error level. I don't think it's the best idea to substitute the resolver value without the user's knowledge ;)