Closed moritz-makandra closed 2 years ago
The error message is not the best, but it seems that you can not connect to r3.o.lencr.org on port 80.
I could improve it, if I could reproduce the error.
Please post the full log (I don't even know which system you are using).
The hostname would be really nice to have to reproduce the problem. If you really want to keep it secret, please send it to me privately.
I committed a new version, which should generate a little bit more output about the error.
The error message is not the best, but it seems that you can not connect to r3.o.lencr.org on port 80.
This is the Problem. While connecting to r3.o.lencr.org
works fine over IPv4, IPv6 seems broken.
Thank you for pointing me into the right direction.
You could try to force IPv4 with the -4 flag. I have several hosts with Let's Encrypt and it seems to work with IPv6
Unfortunately this doesn't generate reproducible result sometimes the check fails when -4
is set and sometimes when -6
. I think this could be caused by some sort of rate limiting or DDoS protection at Akamai
I am trying to test but the -6
and -4
are not really working. openssl s_client -6
is even connecting to an host with IPv4 only (see https://github.com/openssl/openssl/issues/18173)
I tried reproducing this problem on a different internet access, without success. I think this is not caused by any bug in check_ssl_cert
.
Being able to distinct between IPv4 and IPv6 would be great. Hopefully the Issue in OpenSSL gets addressed.
Thank you for your support and the great tool.
Ok, then I'll close the issue. If something pops up, please let me know.
When I run the the script to check the certs on our servers with OCSP enabled i get an CITICAL with the message
OCSP error (-v for details)
The version is 2.25.0
My parameters are:
I found this in the debug log. I tried the openssl command standalone. When i remove the
-timeout
parameter the command works fineThe certificate chain
The full debug output