which openssl
/usr/bin/openssl
sudo find / -name openssl
...
/usr/local/Cellar/openssl/1.0.2q/bin/openssl
...
That's what I was saying earlier. Certbot doesn't seem to be using the version of openssl that gets installed with certbot with my package manager (homebrew). But when I tried your command with the newer 1.0.2 openssl, it still failed with the same errors as 0.9.8. But I can try it all again if you want.
Also I am on macOS 10.11.6 and 1.0.2q is the newest openssl available
With the “=” added?
Yup but if you want to give me the command again, i’ll run it again
This time do:
sudo /usr/local/Cellar/openssl/1.0.2q/bin/openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/fellsbiker.com/chain.pem -cert /etc/letsencrypt/live/fellsbiker.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/fellsbiker.com/chain.pem -verify_other /etc/letsencrypt/live/fellsbiker.com/chain.pem -trust_other -header Host=ocsp.int-x3.letsencrypt.org
That gives me the OCSP options list again:
OCSP utility
Usage ocsp [options]
where options are
-out file output filename
-issuer file issuer certificate
-cert file certificate to check
.........
Ok, how about without header:
sudo /usr/local/Cellar/openssl/1.0.2q/bin/openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/fellsbiker.com/chain.pem -cert /etc/letsencrypt/live/fellsbiker.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/fellsbiker.com/chain.pem -verify_other /etc/letsencrypt/live/fellsbiker.com/chain.pem -trust_other
Error querying OCSP responder
140735208366160:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=400,Reason=Bad Request
How about just:
sudo /usr/local/Cellar/openssl/1.0.2q/bin/openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/fellsbiker.com/chain.pem -cert /etc/letsencrypt/live/fellsbiker.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org
Same error as previous attempt.
Try showing:
dpkg --list | grep certbot
[not sure if that works on homebrew]
no dpkg on macos. if you’re asking me to verify in homebrew that i have certbot installed? I certainly do, that’s how i got my cert in the first place. It’s version 0.31.0.
Trying to ensure nothing was left behind there…
[probably not]
Please show:
find / -name ocsp.h
Is there a flag for find that doesn’t output a message for every folder I don’t have read access to? Or do you want me to run that find as sudo?
Output to tmp file:
find / -name ocsp.h > /var/tmp/find.txt
Or switch to root user?
My system only found one:
-rw-r--r-- 1 root root 18411 Dec 5 10:59 /usr/include/openssl/ocsp.h
I’m thinking the two OpenSSLs are getting criss-crossed with their extra files.
/usr/local/Cellar/openssl/1.0.2q/include/openssl/ocsp.h
664, owned by me, not by root
OK this might help:
[unless you absolutely still also need the 0.9.8 version]
That’s what I have, the homebrew version. And that version doesn’t work either when I try it manually, so I don’t think changing the linking so it uses the homebrew version when you type openssl will get me anywhere? Plus actually replacing the openssl included with the OS won’t be a good solution because next time there’s a security update, it will most likely overwrite those changes and revert me back to whatever it wants. Which is why I’m using the Homebrew version in the first place.
Didn’t you said you had two version?
Yes. I have the 0.9.8 that comes with the OS and I have the 1.0.2 that was installed with homebrew. We just tried both versions above, manually, and neither worked.
Note: @rg305 you may not see this but the forum has blocked me from making any new replies for 24 hours because it is the first day of my account (even though I signed up 3 days ago) so I guess i’ll pick this up again tomorrow night. I hope this works.