Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content

self-hosted nginx : allow DNS resolution for Let's Encrypt OCSP

  • /e/ version: n/a
  • Device model: n/a
  • Reproducible with the last /e/ version: n/a
  • Reproducible with LineageOS: n/a

Summary

In self-hosted, nginx OCSP cannot occur because a lack of DNS resolver

This improvement concerns

  • UI
  • Behavior
  • Privacy

Description

nginx container logs showing "[warn] 6#6: no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org"

What is the improved behavior?

No warning, OCSP working.

As a POC, I added a /mnt/repo-base/config-dynamic/nginx/sites-enabled/resolver.conf file, with a simple content : resolver 127.0.0.11 ;

(127.0.0.11 is from nginx's resolv.conf file)

And, after restarting nginx, log doesn't show warnings anymore, so we can guess it's working.

What does it bring?

I won't discuss OCSP benefits, see wikipedia

Examples

Validation