Problem with OSCP timeout flag

chrisacdx · January 14, 2021, 5:53pm

I am having trouble with the 'certbot certificates -vvv' command on Centos 8 that is yielding and ssl oscp error related to the timeout flag. When the timeout flag is removed, there is no error. Running 'certbot certificates -vvv' yields (my domain replaced with www.example.com in the output):
Root logging level set at -10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Querying OCSP for /etc/letsencrypt/live/www.example.com/cert.pem
openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/www.example.com/chain.pem -cert /etc/letsencrypt/live/www.example.com/cert.pem -CAfile /etc/letsencrypt/live/www.example.com/chain.pem -verify_other /etc/letsencrypt/live/www.example.com/chain.pem -trust_other -timeout 10 -header Host=r3.o.lencr.org -url http://r3.o.lencr.org
Error while running openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/www.example.com/chain.pem -cert /etc/letsencrypt/live/www.example.com/cert.pem -CAfile /etc/letsencrypt/live/www.example.com/chain.pem -verify_other /etc/letsencrypt/live/www.example.com/chain.pem -trust_other -timeout 10 -header Host=r3.o.lencr.org -url http://r3.o.lencr.org.

Error querying OCSP responder
139702347134784:error:02002071:system library:connect:No route to host:crypto/bio/bss_conn.c:189:hostname=r3.o.lencr.org service=80
139702347134784:error:2007306E:BIO routines:conn_state:nbio connect error:crypto/bio/bss_conn.c:193:

OCSP check failed for /etc/letsencrypt/live/www.example.com/cert.pem (are we offline?)

Running the command:
openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/www.example.com/chain.pem -cert /etc/letsencrypt/live/www.example.com/cert.pem -CAfile /etc/letsencrypt/live/www.example.com/chain.pem -verify_other /etc/letsencrypt/live/www.example.com/chain.pem -trust_other -timeout 10 -header Host=r3.o.lencr.org -url http://r3.o.lencr.org.

by hand yields the same error, but it I remove the '-timeout 10' the command works fine. I am running openssl version 1.1.1g FIPS 21 Apr 2020. If I remove the timeout from the call in ocsp.py then 'certbot certificates -vvv' . I am confused why specifying a timeout in the openssl command line would cause a no route to host problem. Is this a bug in openssl or certbot? certbot can work around this by eliminating the timeout from the call.

JuergenAuer · January 14, 2021, 5:59pm

Hi @chrisacdx

your network configuration is buggy, that's not a certificate relevant question.

Sounds that your system tries to connect Letsencrypt via ipv6, that doesn't work because your ipv6 is buggy.

15 or 20 seconds later, ipv4 is used -> that works.

chrisacdx · January 14, 2021, 6:15pm

Thanks JuergenAuer, you put me on the right track:

curl -6 http://r3.o.lencr.org fails:
curl: (7) Failed to connect to r3.o.lencr.org port 80: No route to host

but

curl -4 http://r3.o.lencr.org works.

system · February 13, 2021, 6:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.