301 from r3.o.lencr.org when creating OCSP

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.wejdmark.com

I ran this command:
openssl ocsp -issuer /tmp/haproxy/ssl/5e28456dd9311.issuer -cert /tmp/haproxy/ssl/5e28456dd9311.pem -url http://r3.o.lencr.org/ -header Host=r3.o.lencr.org -respout /tmp/haproxy/ssl/5e28456dd9311.pem.ocsp -verify_other /tmp/haproxy/ssl/5e28456dd9311.issuer

It produced this output:
Error querying OCSP responder
1905515417600:error:27076072:OCSP routines:parse_http_line1:server response error:/usr/src/crypto/openssl/crypto/ocsp/ocsp_ht.c:260:Code=301,Reason=Moved Permanently

My web server is (include version):
HA-Proxy version 2.2.18-c6e1dfa (does SSL termination)

The operating system my web server runs on is (include version):
FreeBSD 12.1-RELEASE-p21-HBSD FreeBSD 12.1-RELEASE-p21-HBSD

My hosting provider, if applicable, is:
Me, myself and I :slight_smile:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme.sh v3.0.1 on OpnSense

Hi @sepahewe and welcome to the LE community forum :slight_smile:

Please show the output of:
curl -Ii http://r3.o.lencr.org/

I like that team!
[I use them all the time]

4 Likes
curl -Ii http://r3.o.lencr.org/
HTTP/1.1 301 Moved Permanently
Location: https://r3.o.lencr.org/
Date: Thu, 16 Dec 2021 10:42:31 GMT
Server: OPNsense

I get:

curl -Ii http://r3.o.lencr.org/
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=12498
Expires: Thu, 16 Dec 2021 14:07:49 GMT
Date: Thu, 16 Dec 2021 10:39:31 GMT
Connection: keep-alive

Please show:
nslookup r3.o.lencr.org

I get:

r3.o.lencr.org  canonical name = o.lencr.edgesuite.net.
o.lencr.edgesuite.net   canonical name = a1887.dscq.akamai.net.
Name:    a1887.dscq.akamai.net
Address: 23.39.45.186
Address: 23.39.45.195
Address: 2600:1408:4800::cced:8e82
Address: 2600:1408:4800::cced:8e71
Address: 2600:1408:4800::cced:8e7b
2 Likes
#dig r3.o.lencr.org

; <<>> DiG 9.16.23 <<>> r3.o.lencr.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1216
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;r3.o.lencr.org.                        IN      A

;; ANSWER SECTION:
r3.o.lencr.org.         98      IN      CNAME   o.lencr.edgesuite.net.
o.lencr.edgesuite.net.  8642    IN      CNAME   a1887.dscq.akamai.net.
a1887.dscq.akamai.net.  20      IN      A       88.221.27.90
a1887.dscq.akamai.net.  20      IN      A       88.221.27.136

;; Query time: 32 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 16 11:49:40 CET 2021
;; MSG SIZE  rcvd: 142

That looks fine, but if I run it again I get:

#dig r3.o.lencr.org

; <<>> DiG 9.16.23 <<>> r3.o.lencr.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8324
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;r3.o.lencr.org.                        IN      A

;; ANSWER SECTION:
r3.o.lencr.org.         3600    IN      A       0.0.0.0

;; Query time: 715 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Dec 16 11:49:43 CET 2021
;; MSG SIZE  rcvd: 59

But even when I skip my own DNS I get 0...0

delv -d 3 -4 @192.168.192.1 r3.o.lencr.org
;; dns_requestmgr_create
;; dns_requestmgr_create: 0x7f204106f1c8
;; dns_requestmgr_whenshutdown
;; adding trust anchor .
;; fetch: r3.o.lencr.org/A
;; delete_node(): 0x7f203f056f90 r3.o.lencr.org (bucket 27)
;; validating r3.o.lencr.org/A: starting
;; validating r3.o.lencr.org/A: attempting insecurity proof
;; validating r3.o.lencr.org/A: checking existence of DS at 'org'
;; fetch: org/DS
;; delete_node(): 0x7f20410a20f0 org (bucket 32)
;; validating org/DS: starting
;; validating org/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; delete_node(): 0x7f20410a20f0 . (bucket 75)
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=20326): success
;; validating ./DNSKEY: marking as secure (DS)
;; validating org/DS: in fetch_callback_dnskey
;; validating org/DS: keyset with trust secure
;; validating org/DS: resuming validate
;; validating org/DS: verify rdataset (keyid=14748): success
;; validating org/DS: marking as secure, noqname proof not needed
;; validating r3.o.lencr.org/A: in fetch_callback_ds
;; validating r3.o.lencr.org/A: resuming proveunsecure
;; validating r3.o.lencr.org/A: checking existence of DS at 'lencr.org'
;; fetch: lencr.org/DS
;; validating lencr.org/DS: starting
;; validating lencr.org/DS: attempting negative response validation from message
;;   validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: starting
;;   validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: attempting positive response validation
;; fetch: org/DNSKEY
;; validating org/DNSKEY: starting
;; validating org/DNSKEY: attempting positive response validation
;; validating org/DNSKEY: verify rdataset (keyid=26974): success
;; validating org/DNSKEY: marking as secure (DS)
;;   validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: in fetch_callback_dnskey
;;   validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: keyset with trust secure
;;   validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: resuming validate
;;   validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: verify rdataset (keyid=63858): success
;;   validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: marking as secure, noqname proof not needed
;; validating lencr.org/DS: in validator_callback_nsec
;; validating lencr.org/DS: resuming validate_nx
;;   validating org/SOA: starting
;;   validating org/SOA: attempting positive response validation
;;   validating org/SOA: keyset with trust secure
;;   validating org/SOA: verify rdataset (keyid=63858): success
;;   validating org/SOA: marking as secure, noqname proof not needed
;; validating lencr.org/DS: in validator_callback_nsec
;; validating lencr.org/DS: resuming validate_nx
;;   validating pshtrqolo2c7hfoq9eq9nhi57cv1cutt.org/NSEC3: starting
;;   validating pshtrqolo2c7hfoq9eq9nhi57cv1cutt.org/NSEC3: attempting positive response validation
;;   validating pshtrqolo2c7hfoq9eq9nhi57cv1cutt.org/NSEC3: keyset with trust secure
;;   validating pshtrqolo2c7hfoq9eq9nhi57cv1cutt.org/NSEC3: verify rdataset (keyid=63858): success
;;   validating pshtrqolo2c7hfoq9eq9nhi57cv1cutt.org/NSEC3: marking as secure, noqname proof not needed
;; validating lencr.org/DS: in validator_callback_nsec
;; validating lencr.org/DS: resuming validate_nx
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: NSEC3 indicates potential closest encloser: 'org'
;; validating lencr.org/DS: NSEC3 at super-domain org
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: NSEC3 proves name does not exist: 'lencr.org'
;; validating lencr.org/DS: NSEC3 indicates optout
;; validating lencr.org/DS: in checkwildcard: *.org
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: NSEC3 at super-domain org
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: in checkwildcard: *.org
;; validating lencr.org/DS: nonexistence proof(s) found
;; validating r3.o.lencr.org/A: in fetch_callback_ds
;; validating r3.o.lencr.org/A: marking as answer (fetch_callback_ds)
; unsigned answer
r3.o.lencr.org.         3600    IN      A       0.0.0.0
;; dns_requestmgr_shutdown: 0x7f204106f1c8
;; send_shutdown_events: 0x7f204106f1c8
;; dns_requestmgr_detach: 0x7f204106f1c8: eref 0 iref 0
;; mgr_destroy
;; calling free_rbtdb(.)
;; done free_rbtdb(.)

Especially "NSEC3 proves name does not exist: 'lencr.org'" seems worrying

1 Like

I'mI was getting a redirect to HTTPS leading to a TLS certificate error (hostname invalid).

From 5 timezones to the West I'm getting a blank page using HTTP. Maybe some regional issue?

Now also with the VPN back to CET I'm getting the blank page. Redirect is gone. Maybe someone fixed it?

1 Like

Seems to be some DNS issues. Now I get correct reply 3 out of 4 DNS requests, so it's improving :slight_smile:

Check your DNS settings.
cat /etc/resolv.conf
Seems like your local DNS system is failing you.

3 Likes

I deserved that for running dig/delv on my fw, hence running into issues with resolv.conf. Thank you for pointing it out :slight_smile:

The real reason for my problem was caused by a DNS blocklist enabled on our servers. Blocklist.site/Malware added r3.o.lencr.org as a malware site about a month ago, and any certificates reissued since failed to get ocsp data. Bogus blocklist is disabled now and everything works

Thanks all!!

6 Likes

Well, I too was getting a redirect without any block list, so not sure if it was just the block list or perhaps a hick-up at Akamai.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.