Articles in this section

Unable to start nginx service on a Plesk server: nginx.service: start operation timed out. Terminating.

Kuzma Ivanov
Updated
Plesk for Linux kb: technical

Applicable to:

  • Plesk for Linux

Symptoms

  • nginx service fails to start with the following error messages:

    CONFIG_TEXT: systemd[1]: nginx.service start-pre operation timed out. Terminating.
    systemd[1]: Failed to start Startup script for nginx service.
    systemd[1]: Unit nginx.service entered failed state.
    systemd[1]: nginx.service failed.

    CONFIG_TEXT: systemd[1]: nginx.service: start operation timed out. Terminating.
    systemd[1]: nginx.service: Failed with result 'timeout'.
    systemd[1]: Failed to start Startup script for nginx service.
    nginx[14602]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/usr/local/psa/var/certificates/scfp55dcd" 

  • nginx service may be in activating state:

    # service nginx status | grep Active
    Active: activating (start-pre) since Mon 2025-01-01 10:00:00 +08; 35s ago

  • nginx configuration check shows warnings about unreachable OCSP responder:

    [warn] 25236#0: "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/usr/local/psa/var/certificates/scfTdclNf"

  • External hosts, like Google, are accessible from the server (200 response):

    # curl -I https://www.google.com
    HTTP/2 200
    ...

Cause

The DNS resolver, defined i system configuration, fails to resolve r.o.lencr.org (Let's Encrypt OCSP responder).

Resolution

Apply one of the solutions below:

 

Solution I: Change DNS resolver in the system

  1. Connect to your Plesk server via SSH.

  2. Open the file /etc/resolv.conf in a text editor. In this example, we are using the vi editor:

    # vi /etc/resolv.conf

  3. Comment out the invalid resolver by placing a # (hash) character at the beginning of the line:

    CONFIG_TEXT: #nameserver 203.0.113.2

  4. Add a different DNS resolver, for example Cloudflare DNS:

    CONFIG_TEXT: nameserver 1.1.1.1

  5. Save the change and close the file.

    Note: /etc/resolv.conf can be overwritten on Ubuntu 18.04 and higher by netplan and systemd-resolved.services. To learn more, see this KB article.

  6. Restart nginx service:

    # systemctl restart nginx

    Note: If the above solution does not help, contact your service provider in order to check the network setup.

 

Solution II: Disable OSCP check

  1. Connect to your Plesk server via SSH.

  2. Disable OCSP check for all domains:

    # for file in $(grep -iRl 'ssl_stapling' /var/www/vhosts/system/*/conf/*.conf); do sed -i '/ssl_stapling/ s/^/#/' "$file"; done

    Note: The long execution of the OCSP queries is likely a temporary issue. The OCSP support can be enabled anew with the following command:

    # for file in $(grep -iRl 'ssl_stapling' /var/www/vhosts/system/*/conf/*.conf); do sed -i 's/^# *ssl_stapling/ ssl_stapling/' "$file"; done

 

 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.