OCSP check failed for xxx (are we offline?)

I am running certbot in an environment with proxy internet access in manual mode, this works when setting https_proxy except for the OCSP check which fails with the following error:

OCSP check failed for /etc/letsencrypt/archive/***/cert1.pem (are we offline?)
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/ocsp.py”, line 188, in _check_ocsp_cryptography
timeout=timeout)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/api.py”, line 119, in post
return request(‘post’, url, data=data, json=json, **kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/api.py”, line 61, in request
return session.request(method=method, url=url, **kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/sessions.py”, line 530, in request
resp = self.send(prep, **send_kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/sessions.py”, line 643, in send
r = adapter.send(request, **kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/adapters.py”, line 516, in send
raise ConnectionError(e, request=request)
ConnectionError: HTTPConnectionPool(host=‘ocsp.int-x3.letsencrypt.org’, port=80): Max retries exceeded with url: / (Caused by NewConnectionError(’<urllib3.connection.HTTPConnection object at 0x7f1c5f121110>: Failed to establish a new connection: [Errno 101] Network is unreachable’,))

I assume the network connection to the OCSP server is done without using the configured proxy so that it is unreachable. The certificate is still generated because all other connections work.

OCSP checks tend happen over port 80 - definitely so in the case of Let’s Encrypt. I think you would need to set HTTP_PROXY to cover it.

Certbot gained the ability to use HTTP_PROXY for OCSP checks in version 1.4.0.

haven’t considered that, I will try the next time we create a cert

thanks

Great!

You can also trigger the OCSP error by just running certbot certificates, as it performs OCSP revocation checks while listing each of your certificates.