Problem with OSCP timeout flag

I am having trouble with the 'certbot certificates -vvv' command on Centos 8 that is yielding and ssl oscp error related to the timeout flag. When the timeout flag is removed, there is no error. Running 'certbot certificates -vvv' yields (my domain replaced with in the output):
Root logging level set at -10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Querying OCSP for /etc/letsencrypt/live/
openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/ -cert /etc/letsencrypt/live/ -CAfile /etc/letsencrypt/live/ -verify_other /etc/letsencrypt/live/ -trust_other -timeout 10 -header -url
Error while running openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/ -cert /etc/letsencrypt/live/ -CAfile /etc/letsencrypt/live/ -verify_other /etc/letsencrypt/live/ -trust_other -timeout 10 -header -url

Error querying OCSP responder
139702347134784:error:02002071:system library:connect:No route to host:crypto/bio/ service=80
139702347134784:error:2007306E:BIO routines:conn_state:nbio connect error:crypto/bio/bss_conn.c:193:

OCSP check failed for /etc/letsencrypt/live/ (are we offline?)

Running the command:
openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/ -cert /etc/letsencrypt/live/ -CAfile /etc/letsencrypt/live/ -verify_other /etc/letsencrypt/live/ -trust_other -timeout 10 -header -url

by hand yields the same error, but it I remove the '-timeout 10' the command works fine. I am running openssl version 1.1.1g FIPS 21 Apr 2020. If I remove the timeout from the call in then 'certbot certificates -vvv' . I am confused why specifying a timeout in the openssl command line would cause a no route to host problem. Is this a bug in openssl or certbot? certbot can work around this by eliminating the timeout from the call.

Hi @chrisacdx

your network configuration is buggy, that's not a certificate relevant question.

Sounds that your system tries to connect Letsencrypt via ipv6, that doesn't work because your ipv6 is buggy.

15 or 20 seconds later, ipv4 is used -> that works.

1 Like

Thanks JuergenAuer, you put me on the right track:

curl -6 fails:
curl: (7) Failed to connect to port 80: No route to host


curl -4 works.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.