Support EMPTY pkcs7 issuer certificates?

[esabol]

The U.S. Treasury certificate authority apparently responds with their issuer certs in pkcs7 format instead of x509. Web browsers seem to support it, but check_ssl_cert doesn't.

What I've done is basically make a copy of check_ssl_cert which I've called check_treasury_gov_cert and changed one line from

$OPENSSL x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"

to

$OPENSSL pkcs7 -inform DER -outform PEM -print_certs -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"

With this one change, it works with certificates issued by the U.S. Treasury CA.

Anyway, I was wondering if you might consider enhancing check_ssl_cert to detect whether the issuer cert is pkcs7 or x509 and do the appropriate thing automatically? Thanks!

[matteocorti]

Thanks good idea. Do you have an example that I could use to test?

[esabol]

Do you have an example that I could use to test?

Good question. Unfortunately, the ones I know about aren't on the public Internet. There must be some. I just don't know about them. If I find one, I'll let you know.

[matteocorti]

Thanks,

I could implement a patch and if it's OK for you, you could test it ...

I'll try to find some examples on the net.

Cheers

Matteo

[esabol]

I could implement a patch and if it's OK for you, you could test it ...

Sure, that would work!

[matteocorti]

Can you please send me the output of file ${ISSUER_CERT_TMP2} by adding the line to the script?

[matteocorti]

Which version are you using? I checked and it should work if the issuer URI ends with p7c

Can you send me the debugging output?

[esabol]

Can you please send me the output of file ${ISSUER_CERT_TMP2} by adding the line to the script?

It's "filename: data".

Which version are you using?

Well, I was using 1.84.0, but what prompted me to open this issue was downloading the recently released 1.140.0 and testing my U.S. Treasury certs with it. (They all failed, so I assumed it was for the same reason as 1.84.0 -- no support for pkcs7 issuer certs.)

I checked and it should work if the issuer URI ends with p7c

Cool! Yeah, I see the part where it converts from pkcs7 to x509 in the new code. It seems to work, but then it fails later.

Can you send me the debugging output?

Sure, some details redacted though.

[DBG] Command line arguments: -H redacted-hostname.fqdn -P https -p 443 -w 7 -c 3 --ignore-sct --debug
[DBG] -c specified: 3
[DBG] ROOT_CA = 
[DBG] file version: file-5.04
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] cURL binary needed. SSL Labs = , OCSP = 1, CURL = 
[DBG] cURL binary not specified
[DBG] cURL available: /usr/bin/curl
[DBG] curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
[DBG] Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp 
[DBG] Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz 
[DBG] nmap binary not needed. No disallowed protocols
expect available (/usr/bin/expect)
timeout available (/usr/bin/timeout)
[DBG] perl available: /usr/bin/perl
[DBG] date available: /bin/date
[DBG] checking date version
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_cert version: 1.140.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
[DBG] OpenSSL configuration directory: /etc/pki/tls
[DBG] 249 root certificates installed by default
[DBG]  System info: Linux redacted-hostname 2.x.y-z.....x86_64 #1 SMP Wed Xyz nn 00:00:00 CDT 2020 x86_64 x86_64 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername redacted-hostname.fqdn
'/usr/bin/openssl s_client' does not support '-name'
'/usr/bin/openssl s_client' does not support '-xmpphost': disabling 'to' attribute
[DBG] temporary file /tmp/4R0260 created
[DBG] temporary file /tmp/u2RAva created
[DBG] temporary file /tmp/lc3mpM created
[DBG] temporary file /tmp/hpUTpE created
[DBG] temporary file /tmp/1wWoY0 created
[DBG] temporary file /tmp/JyqXsn created
[DBG] temporary file /tmp/SzUCwa created
downloading certificate to /tmp
[DBG] redacted-hostname.fqdn is not an IP address
[DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1\nHost: redacted-hostname.fqdn\nUser-Agent: check_ssl_cert/1.140.0\nConnection: close\n\n' | /usr/bin/openssl s_client    -crlf -ign_eof  -connect
 redacted-hostname.fqdn:443 -servername redacted-hostname.fqdn   -showcerts -verify 6       2> /tmp/u2RAva 1> /tmp/4R0260
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1\nHost: redacted-hostname.fqdn\nUser-Agent: check_ssl_cert/1.140.0\nConnection: close\n\n' | /usr/bin/openssl s_client    -crlf -ign_eof  -conne
ct redacted-hostname.fqdn:443 -servername redacted-hostname.fqdn   -showcerts -verify 6       2> /tmp/u2RAva 1> /tmp/4R0260"
[DBG] storing a copy of the retrieved certificate in redacted-hostname.fqdn.crt
[DBG] Return value of the command = 0
[DBG] storing a copy of the retrieved certificate in /tmp/redacted-hostname.fqdn-443.crt
[DBG] storing a copy of the OpenSSL errors in /tmp/redacted-hostname.fqdn-443.error
Checking TLS renegotiation
parsing the x509 certificate file
[DBG] Skipping 0 element of the chain
[DBG] ISSUERS = 
[DBG] issuer= C = US, O = U.S. Government, OU = REDACTEDAGENCY, OU = Certification Authorities, OU = REDACTEDAGENCY ACA\nissuer= C = US, O = U.S. Government, OU = FPKI, CN = Federal Common Policy CA
[DBG] ISSUERS = 
[DBG] O = U.S. Government
[DBG] O = U.S. Government
[DBG] CN = Federal Common Policy CA
[DBG] subject= C = US, O = U.S. Government, OU = REDACTEDAGENCY, OU = Services, CN = redacted-hostname.fqdn
[DBG] CN         = redacted-hostname.fqdn
[DBG] CA         = O = U.S. Government
[DBG] CA         = O = U.S. Government
[DBG] CA         = CN = Federal Common Policy CA
[DBG] SERIAL     = 5D9999C4
[DBG] FINGERPRINT= 55:BA:64:BA:16:8E:EE:87:F0:AB:CA:CF:B5:AD:55:2F:AB:74:27:2C
[DBG] OCSP_URI   = http://ocsp.treas.gov
[DBG] ISSUER_URI = http://pki.treas.gov/noca_ee_aia.p7c
[DBG]     Signature Algorithm: sha256WithRSAEncryption
[DBG] subjectAlternativeName = redacted-hostname.fqdn other-names-redacted.fqdn etc.etc
[DBG] Checking expiration date
[DBG] Number of certificates in CA chain: 2
[DBG] Skipping 0 element of the chain
[DBG] ------------------------------------------------------------------------------
[DBG] Checking expiration date of element 1
[DBG] Validity date on cert element 1 is Jul 21 21:21:05 2022 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Jul 21 21:21:05 2022 GMT'
[DBG] Hours until Jul 21 21:21:05 2022 GMT: 12239
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 1
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 259200 on cert element 1
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 604800 on cert element 1
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 1
[DBG] temporary file /tmp/NmeGmH created
[DBG] Storing the chain element in /tmp/NmeGmH
[DBG] Checking revokation via OCSP
[DBG] Issuer hash: 60aa0d17
[DBG] Chain element issuer URI: http://pki.treas.gov/noca_ee_aia.p7c
[DBG] OCSP: fetching issuer certificate http://pki.treas.gov/noca_ee_aia.p7c to /tmp/JyqXsn
[DBG] executing with timeout (120s): /usr/bin/curl    --silent --location \"http://pki.treas.gov/noca_ee_aia.p7c\" > /tmp/JyqXsn
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl    --silent --location \"http://pki.treas.gov/noca_ee_aia.p7c\" > /tmp/JyqXsn"
[DBG] executing: file /tmp/JyqXsn
/tmp/JyqXsn: data
[DBG] OCSP: issuer certificate type (1):  data
[DBG] OCSP: converting issuer certificate from PKCS #7 to PEM
[DBG] OCSP: issuer certificate type (2):  ASCII English text
[DBG] OCSP: issuer certificate type (3):  ASCII English text
[DBG] OCSP: storing a copy of the retrieved issuer certificate to /tmp/noca_ee_aia.p7c
[DBG] OSCP: URI = http://ocsp.treas.gov
[DBG] OCSP: host = ocsp.treas.gov
[DBG] openssl ocsp supports the -header option
[DBG] /usr/bin/openssl ocsp -header requires 'key value'
[DBG] executing /usr/bin/openssl ocsp -timeout "120" -no_nonce -issuer /tmp/JyqXsn -cert /tmp/NmeGmH  -url http://ocsp.treas.gov  -header HOST ocsp.treas.gov
[DBG] OCSP: response = Response verify OK
[DBG] OCSP: response = /tmp/NmeGmH: good
[DBG] OCSP: response =  This Update: Feb 26 15:34:49 2021 GMT
[DBG] OCSP: response =  Next Update: Feb 27 21:14:29 2021 GMT
[DBG] ------------------------------------------------------------------------------
[DBG] Checking expiration date of element 2
[DBG] Validity date on cert element 2 is Apr  2 15:04:55 2022 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Apr  2 15:04:55 2022 GMT'
[DBG] Hours until Apr  2 15:04:55 2022 GMT: 9592
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 2
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 259200 on cert element 2
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 604800 on cert element 2
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 2
[DBG] temporary file /tmp/SFOH3M created
[DBG] Storing the chain element in /tmp/SFOH3M
[DBG] Checking revokation via OCSP
[DBG] Issuer hash: acbb962e
[DBG] Chain element issuer URI: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c
[DBG] OCSP: fetching issuer certificate http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c to /tmp/JyqXsn
[DBG] executing with timeout (120s): /usr/bin/curl    --silent --location \"http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c\" > /tmp/JyqXsn
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl    --silent --location \"http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c\" > /tmp/JyqXsn"
[DBG] executing: file /tmp/JyqXsn
/tmp/JyqXsn: data
[DBG] OCSP: issuer certificate type (1):  data
[DBG] OCSP: converting issuer certificate from PKCS #7 to PEM
[DBG] OCSP: issuer certificate type (2):  empty
[DBG] OCSP: complete issuer certificate type /tmp/JyqXsn: empty
[DBG] cleaning up temporary files
[DBG] 
[DBG] /tmp/4R0260
[DBG] /tmp/u2RAva
[DBG] /tmp/lc3mpM
[DBG] /tmp/hpUTpE
[DBG] /tmp/1wWoY0
[DBG] /tmp/JyqXsn
[DBG] /tmp/SzUCwa
[DBG] /tmp/NmeGmH
[DBG] /tmp/SFOH3M
SSL_CERT UNKNOWN redacted-hostname.fqdn: Unable to fetch a valid certificate issuer certificate.

Just as a comparison, here's the output from my modified version of 1.84.0:

[DBG] ROOT_CA = 
[DBG] cURL binary needed. SSL Labs = , OCSP = 1
[DBG] cURL binary not specified
[DBG] cURL available: /usr/bin/curl
expect available (/usr/bin/expect)
timeout available (/usr/bin/timeout)
[DBG] perl available: /usr/bin/perl
[DBG] date available: /bin/date
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_cert version: 1.84.1
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
[DBG] OpenSSL configuration directory: /etc/pki/tls
[DBG] 249 root certificates installed by default
[DBG] System info: Linux redacted-hostname 2.x.y-z.....x86_64 #1 SMP Wed Xyz nn 00:00:00 CDT 2020 x86_64 x86_64 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername redacted-hostname.fqdn
'/usr/bin/openssl s_client' does not support '-xmpphost': disabling 'to' attribute
[DBG] temporary file /tmp/check_ssl_certmzYkRf created
[DBG] temporary file /tmp/check_ssl_certiojMkf created
[DBG] temporary file /tmp/check_ssl_cert9BimpD created
[DBG] temporary file /tmp/check_ssl_certIia0CB created
downloading certificate to /tmp
[DBG] redacted-hostname.fqdn is not an IP address
[DBG] executing with timeout (15s): printf 'HEAD / HTTP/1.1\nHost: redacted-hostname.fqdn\nUser-Agent:  check_ssl_cert/1.84.1\nConnection: close\n\n' | /usr/bin/openssl s_client   -crlf -ign_eof -connect redacted-hostname.fqdn:443 -servername redacted-hostname.fqdn -showcerts -verify 6     2> /tmp/check_ssl_certiojMkf 1> /tmp/check_ssl_certmzYkRf
[DBG]   /usr/bin/timeout 15 /bin/sh -c "printf 'HEAD / HTTP/1.1\nHost: redacted-hostname.fqdn\nUser-Agent: check_ssl_cert/1.84.1\nConnection: close\n\n' | /usr/bin/openssl s_client   -crlf -ign_eof -connect  redacted-hostname.fqdn:443 -servername redacted-hostname.fqdn -showcerts -verify 6     2> /tmp/check_ssl_certiojMkf 1> /tmp/check_ssl_certmzYkRf"
[DBG] storing a copy of the retrieved certificate in redacted-hostname.fqdn.crt
[DBG] storing a copy of the OpenSSL errors in redacted-hostname.fqdn.error
parsing the x509 certificate file
[DBG] subject= C = US, O = U.S. Government, OU = REDACTEDAGENCY, OU = Services, CN = redacted-hostname.fqdn
[DBG] CN         = redacted-hostname.fqdn
[DBG] CA         = U.S. Government
[DBG] CA         = Federal Common Policy CA
[DBG] SERIAL     = 5D9999C4
[DBG] FINGERPRINT= 55:BA:64:BA:16:8E:EE:87:F0:AB:CA:CF:B5:AD:55:2F:AB:74:27:2C
[DBG] OCSP_URI   = http://ocsp.treas.gov
[DBG] ISSUER_URI = http://pki.treas.gov/noca_ee_aia.p7c
[DBG]     Signature Algorithm: sha256WithRSAEncryption
[DBG] Date computations: GNU
The certificate will expire in 509 day(s)
[DBG] subjectAlternativeName = redacted-hostname.fqdn other-names-redacted.fqdn etc.etc
[DBG] Checking expiration date
[DBG] executing: /usr/bin/openssl x509 -in /tmp/check_treasury_gov_certxcJOye -noout -checkend 259200
[DBG] executing: /usr/bin/openssl x509 -in /tmp/check_treasury_gov_certxcJOye -noout -checkend 604800
[DBG] Checking revokation via OCSP
[DBG] OCSP: fetching issuer certificate http://pki.treas.gov/noca_ee_aia.p7c to /tmp/check_treasury_gov_
certUnJxi7
[DBG] executing with timeout (15s): /usr/bin/curl --silent --location http://pki.treas.gov/noca_ee_aia.p7c > /tmp/check_treasury_gov_certUnJxi7
[DBG]   /usr/bin/timeout 15 /bin/sh -c "/usr/bin/curl --silent --location http://pki.treas.gov/noca_ee_aia.p7c > /tmp/check_treasury_gov_certUnJxi7"
[DBG] OCSP: issuer certificate type:  data
[DBG] OCSP: converting issuer certificate from DER to PEM
[DBG] OCSP: storing a copy of the retrieved issuer certificate to noca_ee_aia.p7c
[DBG] OCSP: host = ocsp.treas.gov
[DBG] openssl ocsp supports the -header option
[DBG] openssl ocsp -header requires 'key value'
[DBG] executing /usr/bin/openssl ocsp -no_nonce -issuer /tmp/check_treasury_gov_certUnJxi7 -cert /tmp/check_treasury_gov_certxcJOye  -url http://ocsp.treas.gov  -header HOST ocsp.treas.gov
[DBG] OCSP: response = Response verify OK
[DBG] OCSP: response = /tmp/check_treasury_gov_certxcJOye: good
[DBG] OCSP: response =  This Update: Feb 26 15:34:49 2021 GMT
[DBG] OCSP: response =  Next Update: Feb 27 21:14:29 2021 GMT
SSL_CERT OK - x509 certificate 'redacted-hostname.fqdn' from 'U.S. Government' valid until Jul 21 21:21:05 2022 GMT (expires in 509 days)|days=509;7;3;;
[DBG] cleaning up temporary files
[DBG]   /tmp/check_treasury_gov_certxcJOye
[DBG]   /tmp/check_treasury_gov_certarx38U
[DBG]   /tmp/check_treasury_gov_certUnJxi7
[DBG]   /tmp/check_treasury_gov_certSZ1g8G

It looks like 1.140.0 is doing more stuff. The problem actually appears to be with the contents of http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c ?

Unrelated: I don't know what SCT is, but I can't seem to get it working with any of my hosts using 1.140.0. I've had to add --ignore-sct to all of my check_ssl_cert commands. www.google.com doesn't work with SCT either. Is that expected?

[matteocorti]

Hi

The problem is here

[DBG] Chain element issuer URI: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c
[DBG] OCSP: fetching issuer certificate http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c to /tmp/JyqXsn
[DBG] executing with timeout (120s): /usr/bin/curl    --silent --location \"http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c\" > /tmp/JyqXsn
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl    --silent --location \"http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c\" > /tmp/JyqXsn"
[DBG] executing: file /tmp/JyqXsn
/tmp/JyqXsn: data
[DBG] OCSP: issuer certificate type (1):  data
[DBG] OCSP: converting issuer certificate from PKCS #7 to PEM
[DBG] OCSP: issuer certificate type (2):  empty
[DBG] OCSP: complete issuer certificate type /tmp/JyqXsn: empty

or

$ wget http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c
--2021-02-28 15:11:24--  http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c
Resolving http.fpki.gov (http.fpki.gov)... 13.224.94.55, 13.224.94.13, 13.224.94.14, ...
Connecting to http.fpki.gov (http.fpki.gov)|13.224.94.55|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41 [application/pkcs7-mime]
Saving to: ‘caCertsIssuedTofcpca.p7c’

caCertsIssuedTofcpca.p7c          100%[============================================================>]      41  --.-KB/s    in 0s      

2021-02-28 15:11:24 (3.91 MB/s) - ‘caCertsIssuedTofcpca.p7c’ saved [41/41]

$ openssl pkcs7 -print_certs -inform DER -outform PEM -in ./caCertsIssuedTofcpca.p7c -out test.pem
$ file test.pem 
test.pem: empty
$ 

[matteocorti]

I am not an expert but the file seems a little bit too small:

$ openssl pkcs7 -inform DER -in ./caCertsIssuedTofcpca.p7c -text 
-----BEGIN PKCS7-----
MCcGCSqGSIb3DQEHAqAaMBgCAQExADALBgkqhkiG9w0BBwGgAKEAMQA=
-----END PKCS7-----

And contains no certificates:

$ openssl pkcs7 -print_certs -inform DER -in ./caCertsIssuedTofcpca.p7c
$ 

[matteocorti]

I could just ignore it, but I feel that it would be better to know that the second element in the chain is not a valid issuer certificate (as it is empty ...)

[esabol]

Based on my limited understanding from googling this certificate (caCertsIssuedTofcpca.p7c), it is apparently by design and empty certs are valid and should simply be ignored. (See https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/2737.) Thoughts?

% openssl pkcs7 -print_certs -in caCertsIssuedTofcpca.p7c -inform DER -noout -print
PKCS7: 
  type: pkcs7-signedData (1.2.840.113549.1.7.2)
  d.sign: 
    version: 1
    md_algs:
      <EMPTY>
    contents: 
      type: pkcs7-data (1.2.840.113549.1.7.1)
      d.data: <ABSENT>
    cert:
      <EMPTY>
    crl:
      <EMPTY>
    signer_info:
      <EMPTY>

[matteocorti]

Hi

Thanks. I’ll take a look next week end as I will be away for a couple of days.

Matteo

-- Matteo Corti http://corti.li

Il giorno 28 feb 2021, alle ore 21:07, Ed Sabol notifications@github.com ha scritto:

 Based on my limited understanding from googling this certificate (caCertsIssuedTofcpca.p7c), it is apparently by design and empty certs are valid and should simply be ignored. Thoughts?

% openssl pkcs7 -print_certs -in caCertsIssuedTofcpca.p7c -inform DER -noout -print PKCS7: type: pkcs7-signedData (1.2.840.113549.1.7.2) d.sign: version: 1 md_algs:

contents: type: pkcs7-data (1.2.840.113549.1.7.1) d.data: cert: crl: signer_info: — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe.

[esabol]

I’ll take a look next week end as I will be away for a couple of days.

Cool. No rush. Thanks for your time.

I’ve renamed the issue. Could you reopen it?

[matteocorti]

Could you please test if the last commit fixes the issue?

[esabol]

Could you please test if the last commit fixes the issue?

I tested the 1.141.0 release, and it worked! Thanks!

I still need to add --ignore-sct for all of our certs. I'm talking US Treasury CA certs and LetsEncrypt certs. I can certainly believe the US Treasury CA doesn't support SCT, but, based on my googling, LetsEncrypt does support SCT, so I'm not sure why that's not working. Do you have any insight you can share there?

It also fails for google.com, fwiw. Debug output doesn't seem to be informative. Is there a site on the public Internet with which I can successfully test SCT? Should I open an issue for SCT?

Regardless, this issue can be closed. Thanks again!

[matteocorti]

SCTs are is a list of Signed Certificate Timestamps. These are part of certificate transparency, as defined in RFC 6962. See https://stackoverflow.com/questions/63450550/what-is-sct-list-in-ssl-certificate

It could well be that non-public certificates have no SCTs

I get no problems with Google:

$ ./check_ssl_cert -H google.com
SSL_CERT OK - x509 certificate '*.google.com' from 'GTS CA 1O1' valid until May 12 12:27:53 2021 GMT (expires in 63 days)|days_chain_elem1=63;20;15;; days_chain_elem2=280;20;15;;

If you get an error open a new issue with the debugging output and I'll take a look.