openssl ocsp on OpenBSD fails due to incorrect -header Host="zerossl.ocsp.sectigo.com"

[fd0-nl]

Steps to reproduce

Debug log

[Sun Nov 17 14:51:27 CET 2024] LE_WORKING_DIR='/root/.acme.sh' [Sun Nov 17 14:51:27 CET 2024] Running cmd: deploy [Sun Nov 17 14:51:27 CET 2024] Using config home: /root/.acme.sh/conf/ [Sun Nov 17 14:51:27 CET 2024] default_acme_server [Sun Nov 17 14:51:27 CET 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Sun Nov 17 14:51:27 CET 2024] _ACME_SERVER_HOST='acme.zerossl.com' [Sun Nov 17 14:51:27 CET 2024] _ACME_SERVER_PATH='v2/DV90' [Sun Nov 17 14:51:27 CET 2024] DOMAIN_PATH='/root/.acme.sh/conf//my.domain.com_ecc' [Sun Nov 17 14:51:27 CET 2024] DOMAIN_CONF='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.conf' [Sun Nov 17 14:51:27 CET 2024] _deployApi='/root/.acme.sh/deploy/haproxy.sh' [Sun Nov 17 14:51:27 CET 2024] _cdomain='my.domain.com' [Sun Nov 17 14:51:27 CET 2024] _ckey='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.key' [Sun Nov 17 14:51:27 CET 2024] _ccert='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.cer' [Sun Nov 17 14:51:27 CET 2024] _cca='/root/.acme.sh/conf//my.domain.com_ecc/ca.cer' [Sun Nov 17 14:51:27 CET 2024] _cfullchain='/root/.acme.sh/conf//my.domain.com_ecc/fullchain.cer' [Sun Nov 17 14:51:27 CET 2024] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs' [Sun Nov 17 14:51:27 CET 2024] PEM_PATH /etc/haproxy/certs exists [Sun Nov 17 14:51:27 CET 2024] DEPLOY_HAPROXY_PEM_NAME [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_BUNDLE [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_ISSUER='yes' [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_RELOAD='rcctl restart haproxy' [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_HOT_UPDATE [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_STATS_SOCKET [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_MASTER_CLI [Sun Nov 17 14:51:28 CET 2024] _suffix [Sun Nov 17 14:51:28 CET 2024] Deploying PEM file [Sun Nov 17 14:51:28 CET 2024] _temppem='/tmp/tmp.WKk4W2uN0o' [Sun Nov 17 14:51:28 CET 2024] Moving new certificate into place [Sun Nov 17 14:51:28 CET 2024] _pem='/etc/haproxy/certs/my.domain.com.pem' [Sun Nov 17 14:51:28 CET 2024] Updating .issuer file [Sun Nov 17 14:51:28 CET 2024] _issuer='/etc/haproxy/certs/my.domain.com.pem.issuer' [Sun Nov 17 14:51:28 CET 2024] Updating OCSP stapling info [Sun Nov 17 14:51:28 CET 2024] _ocsp='/etc/haproxy/certs/my.domain.com.pem.ocsp' [Sun Nov 17 14:51:28 CET 2024] Extracting OCSP URL [Sun Nov 17 14:51:28 CET 2024] _ocsp_url='http://zerossl.ocsp.sectigo.com' [Sun Nov 17 14:51:28 CET 2024] Extracting OCSP URL [Sun Nov 17 14:51:28 CET 2024] _ocsp_host='zerossl.ocsp.sectigo.com' [Sun Nov 17 14:51:28 CET 2024] _subjectdn='C=AT/O=ZeroSSL/CN=ZeroSSL ECC Domain Secure Site CA' [Sun Nov 17 14:51:29 CET 2024] _issuerdn='C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority' [Sun Nov 17 14:51:29 CET 2024] Requesting OCSP response [Sun Nov 17 14:51:29 CET 2024] _cafile_argument [Sun Nov 17 14:51:29 CET 2024] _openssl_version='4.0.0' [Sun Nov 17 14:51:29 CET 2024] _openssl_ocsp_cmd='openssl ocsp -issuer "/etc/haproxy/certs/my.domain.com.pem.issuer" -cert "/etc/haproxy/certs/my.domain.com.pem" -url "http://zerossl.ocsp.sectigo.com" -header Host="zerossl.ocsp.sectigo.com" -respout "/etc/haproxy/certs/my.domain.com.pem.ocsp" -verify_other "/etc/haproxy/certs/my.domain.com.pem.issuer" | grep -q "/etc/haproxy/certs/my.domain.com.pem: good"' [Sun Nov 17 14:51:29 CET 2024] Updating OCSP stapling failed with return code 1 [Sun Nov 17 14:51:29 CET 2024] _reload='rcctl restart haproxy' [Sun Nov 17 14:51:30 CET 2024] Reload successful [Sun Nov 17 14:51:30 CET 2024] ESC[1;32mSuccessESC[0m [Sun Nov 17 14:52:22 CET 2024] LE_WORKING_DIR='/root/.acme.sh' [Sun Nov 17 14:52:22 CET 2024] Running cmd: deploy [Sun Nov 17 14:52:22 CET 2024] Using config home: /root/.acme.sh/conf/ [Sun Nov 17 14:52:23 CET 2024] default_acme_server [Sun Nov 17 14:52:23 CET 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Sun Nov 17 14:52:23 CET 2024] _ACME_SERVER_HOST='acme.zerossl.com' [Sun Nov 17 14:52:23 CET 2024] _ACME_SERVER_PATH='v2/DV90' [Sun Nov 17 14:52:23 CET 2024] DOMAIN_PATH='/root/.acme.sh/conf//my.domain.com_ecc' [Sun Nov 17 14:52:23 CET 2024] DOMAIN_CONF='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.conf' [Sun Nov 17 14:52:23 CET 2024] _deployApi='/root/.acme.sh/deploy/haproxy.sh' [Sun Nov 17 14:52:23 CET 2024] _cdomain='my.domain.com' [Sun Nov 17 14:52:23 CET 2024] _ckey='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.key' [Sun Nov 17 14:52:23 CET 2024] _ccert='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.cer' [Sun Nov 17 14:52:23 CET 2024] _cca='/root/.acme.sh/conf//my.domain.com_ecc/ca.cer' [Sun Nov 17 14:52:23 CET 2024] _cfullchain='/root/.acme.sh/conf//my.domain.com_ecc/fullchain.cer' [Sun Nov 17 14:52:23 CET 2024] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs' [Sun Nov 17 14:52:23 CET 2024] PEM_PATH /etc/haproxy/certs exists [Sun Nov 17 14:52:23 CET 2024] DEPLOY_HAPROXY_PEM_NAME [Sun Nov 17 14:52:23 CET 2024] DEPLOY_HAPROXY_BUNDLE [Sun Nov 17 14:52:23 CET 2024] DEPLOY_HAPROXY_ISSUER='yes' [Sun Nov 17 14:52:24 CET 2024] DEPLOY_HAPROXY_RELOAD='rcctl restart haproxy' [Sun Nov 17 14:52:24 CET 2024] DEPLOY_HAPROXY_HOT_UPDATE [Sun Nov 17 14:52:24 CET 2024] DEPLOY_HAPROXY_STATS_SOCKET [Sun Nov 17 14:52:24 CET 2024] DEPLOY_HAPROXY_MASTER_CLI [Sun Nov 17 14:52:24 CET 2024] _suffix [Sun Nov 17 14:52:24 CET 2024] Deploying PEM file [Sun Nov 17 14:52:24 CET 2024] _temppem='/tmp/tmp.ewhVzZfvYf' [Sun Nov 17 14:52:24 CET 2024] Moving new certificate into place [Sun Nov 17 14:52:24 CET 2024] _pem='/etc/haproxy/certs/my.domain.com.pem' [Sun Nov 17 14:52:24 CET 2024] Updating .issuer file [Sun Nov 17 14:52:24 CET 2024] _issuer='/etc/haproxy/certs/my.domain.com.pem.issuer' [Sun Nov 17 14:52:24 CET 2024] Updating OCSP stapling info [Sun Nov 17 14:52:24 CET 2024] _ocsp='/etc/haproxy/certs/my.domain.com.pem.ocsp' [Sun Nov 17 14:52:24 CET 2024] Extracting OCSP URL [Sun Nov 17 14:52:24 CET 2024] _ocsp_url='http://zerossl.ocsp.sectigo.com' [Sun Nov 17 14:52:24 CET 2024] Extracting OCSP URL [Sun Nov 17 14:52:24 CET 2024] _ocsp_host='zerossl.ocsp.sectigo.com' [Sun Nov 17 14:52:25 CET 2024] _subjectdn='C=AT/O=ZeroSSL/CN=ZeroSSL ECC Domain Secure Site CA' [Sun Nov 17 14:52:25 CET 2024] _issuerdn='C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority' [Sun Nov 17 14:52:25 CET 2024] Requesting OCSP response [Sun Nov 17 14:52:25 CET 2024] _cafile_argument [Sun Nov 17 14:52:25 CET 2024] _openssl_version='4.0.0' [Sun Nov 17 14:52:25 CET 2024] _openssl_ocsp_cmd='openssl ocsp -issuer "/etc/haproxy/certs/my.domain.com.pem.issuer" -cert "/etc/haproxy/certs/my.domain.com.pem" -url "http://zerossl.ocsp.sectigo.com" -header Host="zerossl.ocsp<!-- 我很忙, 每天可能只有 几秒钟 时间看你的 issue, 如果不按照我的要求写 issue, 你可能不会得到任何回复, 石沉大海.

请确保已经更新到最新的代码, 然后贴上来 --debug 2 的调试输出. 没有调试信息. 我做不了什么. 如何调试 https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

If it is a bug report:

• make sure you are able to repro it on the latest released version. You can install the latest version by: acme.sh --upgrade

• Search the existing issues.

• Refer to the WIKI.

• Debug info Debug.

-->

Steps to reproduce

Command:

acme.sh --deploy --standalone --log --ecc -d my.domain.com --ocsp --deploy-hook haproxy --debug 2

Debug log

[Sun Nov 17 14:51:27 CET 2024] LE_WORKING_DIR='/root/.acme.sh' [Sun Nov 17 14:51:27 CET 2024] Running cmd: deploy [Sun Nov 17 14:51:27 CET 2024] Using config home: /root/.acme.sh/conf/ [Sun Nov 17 14:51:27 CET 2024] default_acme_server [Sun Nov 17 14:51:27 CET 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Sun Nov 17 14:51:27 CET 2024] _ACME_SERVER_HOST='acme.zerossl.com' [Sun Nov 17 14:51:27 CET 2024] _ACME_SERVER_PATH='v2/DV90' [Sun Nov 17 14:51:27 CET 2024] DOMAIN_PATH='/root/.acme.sh/conf//my.domain.com_ecc' [Sun Nov 17 14:51:27 CET 2024] DOMAIN_CONF='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.conf' [Sun Nov 17 14:51:27 CET 2024] _deployApi='/root/.acme.sh/deploy/haproxy.sh' [Sun Nov 17 14:51:27 CET 2024] _cdomain='my.domain.com' [Sun Nov 17 14:51:27 CET 2024] _ckey='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.key' [Sun Nov 17 14:51:27 CET 2024] _ccert='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.cer' [Sun Nov 17 14:51:27 CET 2024] _cca='/root/.acme.sh/conf//my.domain.com_ecc/ca.cer' [Sun Nov 17 14:51:27 CET 2024] _cfullchain='/root/.acme.sh/conf//my.domain.com_ecc/fullchain.cer' [Sun Nov 17 14:51:27 CET 2024] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs' [Sun Nov 17 14:51:27 CET 2024] PEM_PATH /etc/haproxy/certs exists [Sun Nov 17 14:51:27 CET 2024] DEPLOY_HAPROXY_PEM_NAME [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_BUNDLE [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_ISSUER='yes' [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_RELOAD='rcctl restart haproxy' [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_HOT_UPDATE [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_STATS_SOCKET [Sun Nov 17 14:51:28 CET 2024] DEPLOY_HAPROXY_MASTER_CLI [Sun Nov 17 14:51:28 CET 2024] _suffix [Sun Nov 17 14:51:28 CET 2024] Deploying PEM file [Sun Nov 17 14:51:28 CET 2024] _temppem='/tmp/tmp.WKk4W2uN0o' [Sun Nov 17 14:51:28 CET 2024] Moving new certificate into place [Sun Nov 17 14:51:28 CET 2024] _pem='/etc/haproxy/certs/my.domain.com.pem' [Sun Nov 17 14:51:28 CET 2024] Updating .issuer file [Sun Nov 17 14:51:28 CET 2024] _issuer='/etc/haproxy/certs/my.domain.com.pem.issuer' [Sun Nov 17 14:51:28 CET 2024] Updating OCSP stapling info [Sun Nov 17 14:51:28 CET 2024] _ocsp='/etc/haproxy/certs/my.domain.com.pem.ocsp' [Sun Nov 17 14:51:28 CET 2024] Extracting OCSP URL [Sun Nov 17 14:51:28 CET 2024] _ocsp_url='http://zerossl.ocsp.sectigo.com' [Sun Nov 17 14:51:28 CET 2024] Extracting OCSP URL [Sun Nov 17 14:51:28 CET 2024] _ocsp_host='zerossl.ocsp.sectigo.com' [Sun Nov 17 14:51:28 CET 2024] _subjectdn='C=AT/O=ZeroSSL/CN=ZeroSSL ECC Domain Secure Site CA' [Sun Nov 17 14:51:29 CET 2024] _issuerdn='C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority' [Sun Nov 17 14:51:29 CET 2024] Requesting OCSP response [Sun Nov 17 14:51:29 CET 2024] _cafile_argument [Sun Nov 17 14:51:29 CET 2024] _openssl_version='4.0.0' [Sun Nov 17 14:51:29 CET 2024] _openssl_ocsp_cmd='openssl ocsp -issuer "/etc/haproxy/certs/my.domain.com.pem.issuer" -cert "/etc/haproxy/certs/my.domain.com.pem" -url "http://zerossl.ocsp.sectigo.com" -header Host="zerossl.ocsp.sectigo.com" -respout "/etc/haproxy/certs/my.domain.com.pem.ocsp" -verify_other "/etc/haproxy/certs/my.domain.com.pem.issuer" | grep -q "/etc/haproxy/certs/my.domain.com.pem: good"' [Sun Nov 17 14:51:29 CET 2024] Updating OCSP stapling failed with return code 1 [Sun Nov 17 14:51:29 CET 2024] _reload='rcctl restart haproxy' [Sun Nov 17 14:51:30 CET 2024] Reload successful [Sun Nov 17 14:51:30 CET 2024] ESC[1;32mSuccessESC[0m [Sun Nov 17 14:52:22 CET 2024] LE_WORKING_DIR='/root/.acme.sh' [Sun Nov 17 14:52:22 CET 2024] Running cmd: deploy [Sun Nov 17 14:52:22 CET 2024] Using config home: /root/.acme.sh/conf/ [Sun Nov 17 14:52:23 CET 2024] default_acme_server [Sun Nov 17 14:52:23 CET 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Sun Nov 17 14:52:23 CET 2024] _ACME_SERVER_HOST='acme.zerossl.com' [Sun Nov 17 14:52:23 CET 2024] _ACME_SERVER_PATH='v2/DV90' [Sun Nov 17 14:52:23 CET 2024] DOMAIN_PATH='/root/.acme.sh/conf//my.domain.com_ecc' [Sun Nov 17 14:52:23 CET 2024] DOMAIN_CONF='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.conf' [Sun Nov 17 14:52:23 CET 2024] _deployApi='/root/.acme.sh/deploy/haproxy.sh' [Sun Nov 17 14:52:23 CET 2024] _cdomain='my.domain.com' [Sun Nov 17 14:52:23 CET 2024] _ckey='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.key' [Sun Nov 17 14:52:23 CET 2024] _ccert='/root/.acme.sh/conf//my.domain.com_ecc/my.domain.com.cer' [Sun Nov 17 14:52:23 CET 2024] _cca='/root/.acme.sh/conf//my.domain.com_ecc/ca.cer' [Sun Nov 17 14:52:23 CET 2024] _cfullchain='/root/.acme.sh/conf//my.domain.com_ecc/fullchain.cer' [Sun Nov 17 14:52:23 CET 2024] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs' [Sun Nov 17 14:52:23 CET 2024] PEM_PATH /etc/haproxy/certs exists [Sun Nov 17 14:52:23 CET 2024] DEPLOY_HAPROXY_PEM_NAME [Sun Nov 17 14:52:23 CET 2024] DEPLOY_HAPROXY_BUNDLE [Sun Nov 17 14:52:23 CET 2024] DEPLOY_HAPROXY_ISSUER='yes' [Sun Nov 17 14:52:24 CET 2024] DEPLOY_HAPROXY_RELOAD='rcctl restart haproxy' [Sun Nov 17 14:52:24 CET 2024] DEPLOY_HAPROXY_HOT_UPDATE [Sun Nov 17 14:52:24 CET 2024] DEPLOY_HAPROXY_STATS_SOCKET [Sun Nov 17 14:52:24 CET 2024] DEPLOY_HAPROXY_MASTER_CLI [Sun Nov 17 14:52:24 CET 2024] _suffix [Sun Nov 17 14:52:24 CET 2024] Deploying PEM file [Sun Nov 17 14:52:24 CET 2024] _temppem='/tmp/tmp.ewhVzZfvYf' [Sun Nov 17 14:52:24 CET 2024] Moving new certificate into place [Sun Nov 17 14:52:24 CET 2024] _pem='/etc/haproxy/certs/my.domain.com.pem' [Sun Nov 17 14:52:24 CET 2024] Updating .issuer file [Sun Nov 17 14:52:24 CET 2024] _issuer='/etc/haproxy/certs/my.domain.com.pem.issuer' [Sun Nov 17 14:52:24 CET 2024] Updating OCSP stapling info [Sun Nov 17 14:52:24 CET 2024] _ocsp='/etc/haproxy/certs/my.domain.com.pem.ocsp' [Sun Nov 17 14:52:24 CET 2024] Extracting OCSP URL [Sun Nov 17 14:52:24 CET 2024] _ocsp_url='http://zerossl.ocsp.sectigo.com' [Sun Nov 17 14:52:24 CET 2024] Extracting OCSP URL [Sun Nov 17 14:52:24 CET 2024] _ocsp_host='zerossl.ocsp.sectigo.com' [Sun Nov 17 14:52:25 CET 2024] _subjectdn='C=AT/O=ZeroSSL/CN=ZeroSSL ECC Domain Secure Site CA' [Sun Nov 17 14:52:25 CET 2024] _issuerdn='C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority' [Sun Nov 17 14:52:25 CET 2024] Requesting OCSP response [Sun Nov 17 14:52:25 CET 2024] _cafile_argument [Sun Nov 17 14:52:25 CET 2024] _openssl_version='4.0.0' [Sun Nov 17 14:52:25 CET 2024] _openssl_ocsp_cmd='openssl ocsp -issuer "/etc/haproxy/certs/my.domain.com.pem.issuer" -cert "/etc/haproxy/certs/my.domain.com.pem" -url "http://zerossl.ocsp.sectigo.com" -header Host="zerossl.ocsp.sectigo.com" -respout "/etc/haproxy/certs/my.domain.com.pem.ocsp" -verify_other "/etc/haproxy/certs/my.domain.com.pem.issuer" | grep -q "/etc/haproxy/certs/my.domain.com.pem: good"' unknown option '/etc/haproxy/certs/fmy.domain.com.pem.ocsp' usage: ocsp [-CA file] [-CAfile file] [-CApath directory] [-cert file] [-dgst alg] [-header name value] [-host hostname:port] [-ignore_err] [-index indexfile] [-issuer file] [-ndays days] [-nmin minutes] [-no_cert_checks] [-no_cert_verify] [-no_certs] [-no_chain] [-no_explicit] [-no_intern] [-no_nonce] [-no_signature_verify] [-nonce] [-noverify] [-nrequest number] [-out file] [-path path] [-port portnum] [-req_text] [-reqin file] [-reqout file] [-resp_key_id] [-resp_no_certs] [-resp_text] [-respin file] [-respout file] [-rkey file] [-rother file] [-rsigner file] [-serial num] [-sign_other file] [-signer file] [-signkey file] [-status_age age] [-text] [-timeout seconds] [-trust_other] [-url responder_url] [-VAfile file] [-validity_period nsec] [-verify_other file]

-CA file CA certificate corresponding to the revocation information -CAfile file Trusted certificates file -CApath directory Trusted certificates directory -cert file Certificate to check -header name value Add the header name with the value to the request -host hostname:port Send OCSP request to host on port -ignore_err Ignore the invalid response -index indexfile Certificate status index file -issuer file Issuer certificate -ndays days Number of days before next update -nmin minutes Number of minutes before next update -no_cert_checks Don't do additional checks on signing certificate -no_cert_verify Don't check signing certificate -no_certs Don't include any certificates in signed request -no_chain Don't use certificates in the response -no_explicit Don't check the explicit trust for OCSP signing -no_intern Don't search certificates contained in response for signer -no_nonce Don't add OCSP nonce to request -no_signature_verify Don't check signature on response -nonce Add OCSP nonce to request -noverify Don't verify response at all -nrequest number Number of requests to accept (default unlimited) -out file Output filename -path path Path to use in OCSP request -port portnum Port to run responder on -req_text Print text form of request -reqin file Read DER encoded OCSP request from "file" -reqout file Write DER encoded OCSP request to "file" -resp_key_id Identify response by signing certificate key ID -resp_no_certs Don't include any certificates in response -resp_text Print text form of response -respin file Read DER encoded OCSP response from "file" -respout file Write DER encoded OCSP response to "file" -rkey file Responder key to sign responses with -rother file Other certificates to include in response -rsigner file Responder certificate to sign responses with -serial num Serial number to check -sign_other file Additional certificates to include in signed request -signer file Certificate to sign OCSP request with -signkey file Private key to sign OCSP request with -status_age age Maximum status age in seconds -text Print text form of request and response -timeout seconds Connection timeout to the OCSP responder in seconds -trust_other Don't verify additional certificates -url responder_url OCSP responder URL -VAfile file Explicitly trusted responder certificates -validity_period n Maximum validity discrepancy in seconds -verify_other file Additional certificates to search for signer

[Sun Nov 17 14:52:25 CET 2024] Updating OCSP stapling failed with return code 1 [Sun Nov 17 14:52:25 CET 2024] _reload='rcctl restart haproxy' [Sun Nov 17 14:52:26 CET 2024] Reload successful [Sun Nov 17 14:52:26 CET 2024] ESC[1;32mSuccessESC[0m

location and reason of error:

line 276 - 285 of ./deply/hapry.sh contains  code for the `openssl ocsp` command.
The code is:
        # if OpenSSL/LibreSSL is v1.1 or above, the format for the -header option has changed
        _openssl_version=$(${ACME_OPENSSL_BIN:-openssl} version | cut -d' ' -f2)
        _debug _openssl_version "${_openssl_version}"
        _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
        _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
        **if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
          _header_sep="="
        else
          _header_sep=" "
        fi**
        # Request the OCSP response from the issuer and store it
        _openssl_ocsp_cmd="${ACME_OPENSSL_BIN:-openssl} ocsp \
          -issuer \"${_issuer}\" \
          -cert \"${_pem}\" \
          -url \"${_ocsp_url}\" \
          -header Host${_header_sep}\"${_ocsp_host}\" \
          -respout \"${_ocsp}\" \
          -verify_other \"${_issuer}\" \
          ${_cafile_argument} \
          | grep -q \"${_pem}: good\""
        _debug _openssl_ocsp_cmd "${_openssl_ocsp_cmd}"

In the case of OpenBSD the implementation of openssl is LibreSSL

bash-5.2# openssl version
LibreSSL 4.0.0
bash-5.2#

bash-5.2# uname -a
OpenBSD fmy.domain.com 7.6 GENERIC#421 amd64
bash-5.2#

[github-actions[bot]]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[fd0-nl]

the same bug is found in ./deploy/lighttpd.sh