Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
www.wejdmark.com
I ran this command:
openssl ocsp -issuer /tmp/haproxy/ssl/5e28456dd9311.issuer -cert /tmp/haproxy/ssl/5e28456dd9311.pem -url http://r3.o.lencr.org/ -header Host=r3.o.lencr.org -respout /tmp/haproxy/ssl/5e28456dd9311.pem.ocsp -verify_other /tmp/haproxy/ssl/5e28456dd9311.issuer
It produced this output:
Error querying OCSP responder
1905515417600:error:27076072:OCSP routines:parse_http_line1:server response error:/usr/src/crypto/openssl/crypto/ocsp/ocsp_ht.c:260:Code=301,Reason=Moved Permanently
My web server is (include version):
HA-Proxy version 2.2.18-c6e1dfa (does SSL termination)
The operating system my web server runs on is (include version):
FreeBSD 12.1-RELEASE-p21-HBSD FreeBSD 12.1-RELEASE-p21-HBSD
My hosting provider, if applicable, is:
Me, myself and I
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
acme.sh v3.0.1 on OpnSense
rg305
December 16, 2021, 10:40am
2
Hi @sepahewe and welcome to the LE community forum
Please show the output of:
curl -Ii http://r3.o.lencr.org/
sepahewe:
Me, myself and I
I like that team!
[I use them all the time]
4 Likes
curl -Ii http://r3.o.lencr.org/
HTTP/1.1 301 Moved Permanently
Location: https://r3.o.lencr.org/
Date: Thu, 16 Dec 2021 10:42:31 GMT
Server: OPNsense
rg305
December 16, 2021, 10:51am
5
I get:
curl -Ii http://r3.o.lencr.org/
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=12498
Expires: Thu, 16 Dec 2021 14:07:49 GMT
Date: Thu, 16 Dec 2021 10:39:31 GMT
Connection: keep-alive
Please show:
nslookup r3.o.lencr.org
I get:
r3.o.lencr.org canonical name = o.lencr.edgesuite.net.
o.lencr.edgesuite.net canonical name = a1887.dscq.akamai.net.
Name: a1887.dscq.akamai.net
Address: 23.39.45.186
Address: 23.39.45.195
Address: 2600:1408:4800::cced:8e82
Address: 2600:1408:4800::cced:8e71
Address: 2600:1408:4800::cced:8e7b
2 Likes
#dig r3.o.lencr.org
; <<>> DiG 9.16.23 <<>> r3.o.lencr.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1216
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;r3.o.lencr.org. IN A
;; ANSWER SECTION:
r3.o.lencr.org. 98 IN CNAME o.lencr.edgesuite.net.
o.lencr.edgesuite.net. 8642 IN CNAME a1887.dscq.akamai.net.
a1887.dscq.akamai.net. 20 IN A 88.221.27.90
a1887.dscq.akamai.net. 20 IN A 88.221.27.136
;; Query time: 32 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 16 11:49:40 CET 2021
;; MSG SIZE rcvd: 142
That looks fine, but if I run it again I get:
#dig r3.o.lencr.org
; <<>> DiG 9.16.23 <<>> r3.o.lencr.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8324
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;r3.o.lencr.org. IN A
;; ANSWER SECTION:
r3.o.lencr.org. 3600 IN A 0.0.0.0
;; Query time: 715 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Dec 16 11:49:43 CET 2021
;; MSG SIZE rcvd: 59
But even when I skip my own DNS I get 0...0
delv -d 3 -4 @192.168.192.1 r3.o.lencr.org
;; dns_requestmgr_create
;; dns_requestmgr_create: 0x7f204106f1c8
;; dns_requestmgr_whenshutdown
;; adding trust anchor .
;; fetch: r3.o.lencr.org/A
;; delete_node(): 0x7f203f056f90 r3.o.lencr.org (bucket 27)
;; validating r3.o.lencr.org/A: starting
;; validating r3.o.lencr.org/A: attempting insecurity proof
;; validating r3.o.lencr.org/A: checking existence of DS at 'org'
;; fetch: org/DS
;; delete_node(): 0x7f20410a20f0 org (bucket 32)
;; validating org/DS: starting
;; validating org/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; delete_node(): 0x7f20410a20f0 . (bucket 75)
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=20326): success
;; validating ./DNSKEY: marking as secure (DS)
;; validating org/DS: in fetch_callback_dnskey
;; validating org/DS: keyset with trust secure
;; validating org/DS: resuming validate
;; validating org/DS: verify rdataset (keyid=14748): success
;; validating org/DS: marking as secure, noqname proof not needed
;; validating r3.o.lencr.org/A: in fetch_callback_ds
;; validating r3.o.lencr.org/A: resuming proveunsecure
;; validating r3.o.lencr.org/A: checking existence of DS at 'lencr.org'
;; fetch: lencr.org/DS
;; validating lencr.org/DS: starting
;; validating lencr.org/DS: attempting negative response validation from message
;; validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: starting
;; validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: attempting positive response validation
;; fetch: org/DNSKEY
;; validating org/DNSKEY: starting
;; validating org/DNSKEY: attempting positive response validation
;; validating org/DNSKEY: verify rdataset (keyid=26974): success
;; validating org/DNSKEY: marking as secure (DS)
;; validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: in fetch_callback_dnskey
;; validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: keyset with trust secure
;; validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: resuming validate
;; validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: verify rdataset (keyid=63858): success
;; validating 1i870vj5h429vj9pci7ar6e9gki74tr7.org/NSEC3: marking as secure, noqname proof not needed
;; validating lencr.org/DS: in validator_callback_nsec
;; validating lencr.org/DS: resuming validate_nx
;; validating org/SOA: starting
;; validating org/SOA: attempting positive response validation
;; validating org/SOA: keyset with trust secure
;; validating org/SOA: verify rdataset (keyid=63858): success
;; validating org/SOA: marking as secure, noqname proof not needed
;; validating lencr.org/DS: in validator_callback_nsec
;; validating lencr.org/DS: resuming validate_nx
;; validating pshtrqolo2c7hfoq9eq9nhi57cv1cutt.org/NSEC3: starting
;; validating pshtrqolo2c7hfoq9eq9nhi57cv1cutt.org/NSEC3: attempting positive response validation
;; validating pshtrqolo2c7hfoq9eq9nhi57cv1cutt.org/NSEC3: keyset with trust secure
;; validating pshtrqolo2c7hfoq9eq9nhi57cv1cutt.org/NSEC3: verify rdataset (keyid=63858): success
;; validating pshtrqolo2c7hfoq9eq9nhi57cv1cutt.org/NSEC3: marking as secure, noqname proof not needed
;; validating lencr.org/DS: in validator_callback_nsec
;; validating lencr.org/DS: resuming validate_nx
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: NSEC3 indicates potential closest encloser: 'org'
;; validating lencr.org/DS: NSEC3 at super-domain org
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: NSEC3 proves name does not exist: 'lencr.org'
;; validating lencr.org/DS: NSEC3 indicates optout
;; validating lencr.org/DS: in checkwildcard: *.org
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: NSEC3 at super-domain org
;; validating lencr.org/DS: looking for relevant NSEC3
;; validating lencr.org/DS: in checkwildcard: *.org
;; validating lencr.org/DS: nonexistence proof(s) found
;; validating r3.o.lencr.org/A: in fetch_callback_ds
;; validating r3.o.lencr.org/A: marking as answer (fetch_callback_ds)
; unsigned answer
r3.o.lencr.org. 3600 IN A 0.0.0.0
;; dns_requestmgr_shutdown: 0x7f204106f1c8
;; send_shutdown_events: 0x7f204106f1c8
;; dns_requestmgr_detach: 0x7f204106f1c8: eref 0 iref 0
;; mgr_destroy
;; calling free_rbtdb(.)
;; done free_rbtdb(.)
Especially "NSEC3 proves name does not exist: 'lencr.org '" seems worrying
1 Like
Osiris
December 16, 2021, 11:42am
7
I'm I was getting a redirect to HTTPS leading to a TLS certificate error (hostname invalid).
From 5 timezones to the West I'm getting a blank page using HTTP. Maybe some regional issue?
Now also with the VPN back to CET I'm getting the blank page. Redirect is gone. Maybe someone fixed it?
1 Like
Seems to be some DNS issues. Now I get correct reply 3 out of 4 DNS requests, so it's improving
rg305
December 16, 2021, 1:10pm
9
Check your DNS settings.
cat /etc/resolv.conf
Seems like your local DNS system is failing you.
3 Likes
I deserved that for running dig/delv on my fw, hence running into issues with resolv.conf. Thank you for pointing it out
The real reason for my problem was caused by a DNS blocklist enabled on our servers. Blocklist.site/Malware added r3.o.lencr.org as a malware site about a month ago, and any certificates reissued since failed to get ocsp data. Bogus blocklist is disabled now and everything works
Thanks all!!
6 Likes
Osiris
December 16, 2021, 6:26pm
11
Well, I too was getting a redirect without any block list, so not sure if it was just the block list or perhaps a hick-up at Akamai.
2 Likes
system
Closed
January 15, 2022, 6:27pm
12
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.