Nginx, OCSP stapling, booting, systemd and Debian 9

Web, System Administration

Noticed these lines in journalctl when nginx didn’t start after a reboot:

Dec 10 17:43:30 mail1 nginx[3485]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/www.example.com/fullchain.pem"
Dec 10 17:43:30 mail1 nginx[3485]: nginx: [emerg] bind() to [<IPv6 address>]:80 failed (99: Cannot assign requested address)
Dec 10 17:43:30 mail1 nginx[3485]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 10 17:43:30 mail1 systemd[1]: nginx.service: Control process exited, code=exited status=1
Dec 10 17:43:30 mail1 systemd[1]: nginx.service: Unit entered failed state.
Dec 10 17:43:30 mail1 systemd[1]: nginx.service: Failed with result 'exit-code'.
Dec 10 17:52:35 mail1 systemd[1]: nginx.service: Failed to read PID from file /run/nginx.pid: Invalid argument

Hmmm…

I had the IPv6 failing to bind issue with Debian 8 (Jessie) so I tried the fix I outlined here. It didn’t work. Back to the drawing board. A bit of research and I determined that my DNS server, unbound, wasn’t starting before nginx so I made the following modifications to nginx.service using override.conf.

I issued this command:

systemctl edit nginx

This creates the file, override.conf, in /etc/systemd/system/nginx.service.d/

I added to the file:

[Unit]
# nginx issues OSCP stapling error on boot if unbound hasn't started yet.
After=network.target unbound.service

In my research, I ran across the Ubuntu bug report for the “Failed to read PID” bug so I added that as well.

# takes care of "Failed to read PID bug"
# see https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864
[Service]
ExecStartPost=/bin/sleep 0.1

The entire override.conf file now contains:

[Unit]
# nginx issues OSCP stapling error on boot if unbound hasn't started yet.
After=network.target unbound.service

# takes care of no pid bug
# see https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864
[Service]
ExecStartPost=/bin/sleep 0.1

Now, Nginx starts cleanly on a reboot, restart, etc.

Dec 10 18:37:15 mail1 systemd[1]: Starting A high performance web server and a reverse proxy server...
Dec 10 18:37:16 mail1 systemd[1]: Started A high performance web server and a reverse proxy server.