ignore ocsp errors/timeout

Describe the bug
Despite running with --ignore-ocsp-errors --ignore-ocsp-timeout a OCSP error leads to a CRITICAL exit code.
To Reproduce
check_ssl_cert --ignore-ocsp-errors --ignore-ocsp-timeout --protocol pop3s -6 -H pop3.mailbox.org -d -d -d -d -v
However I'd assume the actual OCSP error will be gone in a few hours.
Expected behavior
Actually ignore this OCSP error as per command line argument and return OK.
System (please complete the following information):
OS: Ubuntu
OS version: 20.04 LTS
check_ssl_cert version: 2.55.0
OpenSSL version (openssl version): 1.1.1f
Additional context/output
lukas@htznr2:~$ /home/lukas/check_ssl_cert --ignore-ocsp-errors --ignore-ocsp-timeout --protocol pop3s -6 -H pop3.mailbox.org -d -d -d -d -v
[DBG] Shell: /bin/bash
[DBG]   GNU bash, version 5.0.17(1)-release (x86_64-pc-linux-gnu)
[DBG]   Copyright (C) 2019 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
[DBG]
[DBG]   This is free software; you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG] grep: grep
[DBG]   grep (GNU grep) 3.4
[DBG]   Copyright (C) 2020 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
[DBG]   This is free software: you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG]
[DBG]   Written by Mike Haertel and others; see
[DBG]   <https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS>.
[DBG] hostname: /bin/hostname
[DBG] $PATH: /home/lukas/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[DBG] Command line arguments: --ignore-ocsp-errors --ignore-ocsp-timeout --protocol pop3s -6 -H pop3.mailbox.org -d -d -d -d -v
[DBG]   TMPDIR = /tmp
[DBG] Required HTTP headers:
[DBG] Unrequired HTTP headers:
[DBG] Adding the domain if missing
[DBG] HOST = pop3.mailbox.org
[DBG] SNI                 =
[DBG] HOST_NAME           = pop3.mailbox.org
[DBG] HOST_ADDR           = pop3.mailbox.org
[DBG] NAMES_TO_BE_CHECKED = __HOST__
[DBG] Checking if pop3.mailbox.org is an IP address
[DBG] pop3.mailbox.org is not an IP address
[DBG] HOST_IS_IP.         = 0
[DBG] Checking if pop3.mailbox.org is an IP address
[DBG] pop3.mailbox.org is not an IP address
[DBG] Adding pop3.mailbox.org to NAMES_TO_BE_CHECKED
[DBG] NAMES_TO_BE_CHECKED = pop3.mailbox.org
[DBG] curl binary needed. SSL Labs = , OCSP = 1, CURL = , IGNORE_CONNECTION_STATE=, FILE_URI=
[DBG] curl binary not specified
[DBG] curl available: /usr/bin/curl
[DBG] curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
[DBG] Release-Date: 2020-01-08
[DBG] Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
[DBG] Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
[DBG] -c specified: 15
[DBG] -w specified: 20
[DBG] Executing comparison '1728000 <= 1296000'
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] ROOT_CA =
[DBG] mktemp available: /bin/mktemp
[DBG] file version: file-5.38
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] nmap binary not specified
[DBG] nmap available: /usr/bin/nmap
[DBG] Checking IPs: host pop3.mailbox.org
[DBG] perl available: /usr/bin/perl
[DBG] date available: /bin/date
[DBG] checking date version
[DBG] date computation type: GNU
[DBG] check_ssl_cert version: 2.55.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL info:
[DBG] OpenSSL 1.1.1f  31 Mar 2020
[DBG] built on: Mon Jul  4 11:24:28 2022 UTC
[DBG] platform: debian-amd64
[DBG] options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
[DBG] compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-51ig8V/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
[DBG] OPENSSLDIR: "/usr/lib/ssl"
[DBG] ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
[DBG] Seeding source: os-specific
[DBG] OpenSSL configuration directory: /usr/lib/ssl
[DBG] 0 root certificates installed by default
[DBG]  System info: Linux htznr2 5.4.0-131-generic #147-Ubuntu SMP Fri Oct 14 17:07:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername pop3.mailbox.org
[DBG] Proxy settings (before):
[DBG]   http_proxy  =
[DBG]   https_proxy =
[DBG]   HTTP_PROXY  =
[DBG]   HTTPS_PROXY =
[DBG] Proxy settings (after):
[DBG]   http_proxy  =
[DBG]   https_proxy =
[DBG]   HTTP_PROXY  =
[DBG]   HTTPS_PROXY =
[DBG]   s_client    =
[DBG]   curl        =
[DBG] '/usr/bin/openssl s_client' supports '-name': using htznr2
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost pop3.mailbox.org
[DBG] HOST_HEADER = pop3.mailbox.org
[DBG] Testing connection with pop3.mailbox.org:995
[DBG] Executing: '/usr/bin/nmap -6 --unprivileged -Pn -p 995 pop3.mailbox.org'
[DBG] Sanity checks: OK
[DBG] temporary file /tmp/vnkO3p created
[DBG] temporary file /tmp/S6KdC0 created
[DBG] temporary file /tmp/rhkYGI created
[DBG] temporary file /tmp/unPuqi created
[DBG] temporary file /tmp/Hx7HiW created
[DBG] temporary file /tmp/nD25wK created
[DBG] temporary file /tmp/GP70jS created
[DBG] Temporary files created
[DBG] pop3.mailbox.org is not an IP address
[DBG] fetch_certificate: PROTOCOL = pop3s
[DBG] exec_with_timeout printf 'QUIT
[DBG] ' | /usr/bin/openssl s_client -6   -crlf -showcerts -connect pop3.mailbox.org:995 -servername pop3.mailbox.org   -verify 6        2> /tmp/S6KdC0 1> /tmp/vnkO3p
[DBG]   TIMEOUT_REASON = fetching certificate
[DBG] executing with timeout (120s): printf 'QUIT
[DBG] ' | /usr/bin/openssl s_client -6   -crlf -showcerts -connect pop3.mailbox.org:995 -servername pop3.mailbox.org   -verify 6        2> /tmp/S6KdC0 1> /tmp/vnkO3p
[DBG]   start time = 1669765988
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'QUIT
[DBG] ' | /usr/bin/openssl s_client -6   -crlf -showcerts -connect pop3.mailbox.org:995 -servername pop3.mailbox.org   -verify 6        2> /tmp/S6KdC0 1> /tmp/vnkO3p"
[DBG]   end time = 1669765988
[DBG]   new timeout = 120
[DBG] Return value of the command = 0
[DBG] Negotiated protocol:
[DBG] openssl_version 3.0.0
[DBG] Checking if OpenSSL version is at least 3.0.0 ( '3' '0' '0' ':0' )
[DBG] openssl version: OpenSSL 1.1.1f  31 Mar 2020
[DBG] Current version 1.1.1f ( '1' '1' '1' 'f:102' )
[DBG]   false
[DBG] checking TLS renegotiation
[DBG] exec_with_timeout printf 'R
[DBG] ' | /usr/bin/openssl s_client -6 -crlf -connect pop3.mailbox.org:995 -servername pop3.mailbox.org   2>&1 | /bin/grep -F -q err
[DBG]   TIMEOUT_REASON = checking TLS renegotiation
[DBG] executing with timeout (120s): printf 'R
[DBG] ' | /usr/bin/openssl s_client -6 -crlf -connect pop3.mailbox.org:995 -servername pop3.mailbox.org   2>&1 | /bin/grep -F -q err
[DBG]   start time = 1669765988
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'R
[DBG] ' | /usr/bin/openssl s_client -6 -crlf -connect pop3.mailbox.org:995 -servername pop3.mailbox.org   2>&1 | /bin/grep -F -q err"
[DBG]   end time = 1669765988
[DBG]   new timeout = 120
TLS renegotiation OK
[DBG] extracting cert attribute enddate
[DBG] extracting cert attribute startdate
[DBG] extracting cert attribute cn
[DBG] extracting cert attribute subject
[DBG] SUBJECT = subject=CN = *.mailbox.org
[DBG] extracting cert attribute serial
[DBG] SERIAL = 0CAE10A9084B9AB44D32BFA3634FBBE6
[DBG] extracting cert attribute version
[DBG] X509_VERSION = 3 (0x2)
[DBG] extracting cert attribute fingerprint
[DBG] FINGERPRINT = BD:8A:1E:32:79:14:4B:A6:A2:07:BA:F0:EC:5A:2F:83:2E:1B:C0:AC
[DBG] Checking if x509 supports the -ext option
[DBG] extracting cert attribute keyUsage
[DBG] Certificate purpose is not defined as critical
[DBG] extracting cert attribute oscp_uri_single
[DBG] extracting cert attribute oscp_uri
[DBG] OCSP_URI = http://status.thawte.com
[DBG] Extracting issuers
[DBG]   Number of certificates in the chain: 2
[DBG] Checking certificate chain
[DBG]     extracting issuer for element 1
[DBG] extracting cert attribute issuer
[DBG] ELEMENT_ISSUER=DigiCert Inc
[DBG] ELEMENT_ISSUER=Thawte TLS RSA CA G1
[DBG] ISSUERS=DigiCert Inc
[DBG] ISSUERS=Thawte TLS RSA CA G1
[DBG]     extracting issuer for element 2
[DBG] extracting cert attribute issuer
[DBG] ELEMENT_ISSUER=DigiCert Inc
[DBG] ELEMENT_ISSUER=DigiCert Global Root G2
[DBG] ISSUERS=DigiCert Inc
[DBG] ISSUERS=Thawte TLS RSA CA G1
[DBG] ISSUERS=DigiCert Inc
[DBG] ISSUERS=DigiCert Global Root G2
[DBG] Certificate chain check finished
[DBG] ISSUERS =
[DBG] DigiCert Inc
[DBG] Thawte TLS RSA CA G1
[DBG] DigiCert Inc
[DBG] DigiCert Global Root G2
[DBG] extracting cert attribute issuer_uri_single
[DBG] extracting cert attribute issuer_uri
[DBG] extracting cert attribute sig_algo
[DBG] subject=CN = *.mailbox.org
[DBG] CN         = *.mailbox.org
[DBG] CA         = DigiCert Inc
[DBG] CA         = Thawte TLS RSA CA G1
[DBG] CA         = DigiCert Inc
[DBG] CA         = DigiCert Global Root G2
[DBG] SERIAL     = 0CAE10A9084B9AB44D32BFA3634FBBE6
[DBG] FINGERPRINT= BD:8A:1E:32:79:14:4B:A6:A2:07:BA:F0:EC:5A:2F:83:2E:1B:C0:AC
[DBG] OCSP_URI   = http://status.thawte.com
[DBG] ISSUER_URI = http://cacerts.thawte.com/ThawteTLSRSACAG1.crt
[DBG] rsaEncryption (4096 bit)
[DBG] extracting cert attribute subjectAlternativeName
[DBG] subjectAlternativeName = *.mailbox.org mailbox.org
The certificate for this site contains a Subject Alternative Name extension
[DBG] Check the common name and alternative names
[DBG] CN                       = *.mailbox.org
[DBG] SUBJECT_ALTERNATIVE_NAME = *.mailbox.org
[DBG] SUBJECT_ALTERNATIVE_NAME = mailbox.org
[DBG] ALTNAMES                 = 1
[DBG] NAMES_TO_BE_CHECKED      = pop3.mailbox.org
[DBG]   checking 'pop3.mailbox.org'
[DBG]     common name
[DBG]         checking (1) if pop3.mailbox.org matches ^[A-Za-z0-9_-]*[.]mailbox[.]org$
[DBG]         pop3.mailbox.org matches ^[A-Za-z0-9_-]*[.]mailbox[.]org$
[DBG]       checking (2) if the pop3.mailbox.org matches ^*.mailbox.org$
[DBG]     alternative names
[DBG]       check altname: *.mailbox.org
[DBG]         the altname *.mailbox.org begins with a '*'
[DBG]         checking if (4) pop3.mailbox.org matches ^mailbox.org$
[DBG]       checking if (5) pop3.mailbox.org matches ^[A-Za-z0-9_-]*[.]mailbox[.]org$
[DBG]         pop3.mailbox.org matches ^[A-Za-z0-9_-]*[.]mailbox[.]org$
[DBG]         checking if (6) pop3.mailbox.org matches ^*.mailbox.org$
[DBG]       check altname: mailbox.org
[DBG]  CN check finished
[DBG] Checking expiration date
[DBG] Number of certificates in CA chain: 2
[DBG] ------------------------------------------------------------------------------
[DBG] -- Checking element 1
[DBG] extracting cert attribute cn
[DBG] Checking expiration date of element 1 (*.mailbox.org)
[DBG] extracting cert attribute enddate
[DBG] Validity date on cert element 1 (*.mailbox.org) is Jun  9 23:59:59 2023 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Jun  9 23:59:59 2023 GMT' with GNU
[DBG] Computing '(1686355199-1669765988)/3600' (precision 0)
[DBG] Hours until Jun  9 23:59:59 2023 GMT: 4608
[DBG] Computing '4608/24' (precision 0)
[DBG] Computing '4608 * 3600' (precision 0)
[DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="*.mailbox.org", element="1"} 192
[DBG]   valid for 192 days
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 1 (*.mailbox.org)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 1 (*.mailbox.org)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 1
Certificate element 1 (*.mailbox.org) is valid for 192 days
[DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="*.mailbox.org", element="1"} 0
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 1
[DBG] temporary file /tmp/jT7eLW created
[DBG] Storing the chain element in /tmp/jT7eLW
[DBG] Checking revocation via OCSP
[DBG] extracting cert attribute issuer_hash
[DBG] Issuer hash: 0feb9fd6
[DBG] extracting cert attribute issuer_uri
[DBG] Chain element issuer URIs: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt
[DBG] checking issuer URIs: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt
[DBG] OCSP: fetching issuer certificate http://cacerts.thawte.com/ThawteTLSRSACAG1.crt to /tmp/nD25wK
[DBG] exec_with_timeout /usr/bin/curl   -6 --silent --user-agent 'check_ssl_cert/2.55.0' --location \"http://cacerts.thawte.com/ThawteTLSRSACAG1.crt\" > /tmp/nD25wK
[DBG]   TIMEOUT_REASON = OCSP: fetching issuer http://cacerts.thawte.com/ThawteTLSRSACAG1.crt
[DBG] executing with timeout (120s): /usr/bin/curl   -6 --silent --user-agent 'check_ssl_cert/2.55.0' --location \"http://cacerts.thawte.com/ThawteTLSRSACAG1.crt\" > /tmp/nD25wK
[DBG]   start time = 1669765988
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl   -6 --silent --user-agent 'check_ssl_cert/2.55.0' --location \"http://cacerts.thawte.com/ThawteTLSRSACAG1.crt\" > /tmp/nD25wK"
[DBG]   end time = 1669765988
[DBG]   new timeout = 120
[DBG] OCSP: issuer certificate type (1): data
[DBG] OCSP: issuer certificate type (2): data
[DBG] OCSP: converting issuer certificate from DER to PEM
[DBG] OCSP: issuer certificate type (3): PEM certificate
[DBG] extracting cert attribute oscp_uri
[DBG] OCSP: URIs = http://status.thawte.com
[DBG] OCSP: URI = http://status.thawte.com
[DBG] OCSP: host = status.thawte.com
[DBG] openssl ocsp supports the -header option
[DBG] /usr/bin/openssl ocsp -header requires 'key=value'
[DBG] executing /usr/bin/openssl ocsp -timeout "120" -no_nonce -issuer /tmp/nD25wK -cert /tmp/jT7eLW  -url http://status.thawte.com  -header HOST=status.thawte.com
[DBG] OCSP: response = Error querying OCSP responder
[DBG] OCSP: not good. HTTP_PROXY =
[DBG] executing /usr/bin/openssl ocsp -timeout "120" -no_nonce -issuer "/tmp/nD25wK" -cert "/tmp/jT7eLW" -url "http://status.thawte.com" "" 2>&1
[DBG] Error querying OCSP responder
CRITICAL error: OCSP error (Error querying OCSP responder)
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message    = OCSP error (Error querying OCSP responder)
[DBG] prepend_critical_message: CRITICAL_MSG   =
[DBG] prepend_critical_message: ALL_MSG 1      =
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL *.mailbox.org:pop3s: OCSP error (Error querying OCSP responder)
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL *.mailbox.org:pop3s: OCSP error (Error querying OCSP responder)
[DBG] prepend_critical_message: ALL_MSG 2      =
[DBG]     SSL_CERT CRITICAL *.mailbox.org:pop3s: OCSP error (Error querying OCSP responder)
[DBG] CRITICAL ----------------------------------------
[DBG] Timeout before OCSP check: 120
[DBG] Timeout after OCSP check:  119
OCSP check for element 1 OK
[DBG] ------------------------------------------------------------------------------
[DBG] -- Checking element 2
[DBG] extracting cert attribute cn
[DBG] Checking expiration date of element 2 (Thawte TLS RSA CA G1)
[DBG] extracting cert attribute enddate
[DBG] Validity date on cert element 2 (Thawte TLS RSA CA G1) is Nov  2 12:24:25 2027 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Nov  2 12:24:25 2027 GMT' with GNU
[DBG] Computing '(1825158265-1669765989)/3600' (precision 0)
[DBG] Hours until Nov  2 12:24:25 2027 GMT: 43164
[DBG] Computing '43164/24' (precision 0)
[DBG] Computing '43164 * 3600' (precision 0)
[DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="*.mailbox.org", element="2"} 1798
[DBG]   valid for 1798 days
[DBG] Executing comparison '43164 < 4608'
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] Executing comparison '1798 < 192'
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 2 (Thawte TLS RSA CA G1)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 2 (Thawte TLS RSA CA G1)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 2
Certificate element 2 (Thawte TLS RSA CA G1) is valid for 1798 days
[DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="*.mailbox.org", element="2"} 0
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 2
[DBG] temporary file /tmp/BC77jb created
[DBG] Storing the chain element in /tmp/BC77jb
[DBG] Checking revocation via OCSP
[DBG] extracting cert attribute issuer_hash
[DBG] Issuer hash: 607986c7
[DBG] extracting cert attribute issuer_uri
Warning cannot find the CA Issuers in the certificate chain element 2: disabling OCSP checks on chain element 2
[DBG] ------------------------------------------------------------------------------
[DBG] extracting cert attribute email
[DBG] EMAIL =
The certificate was successfully verified
[DBG] openssl_version 1.1.0
[DBG] Checking if OpenSSL version is at least 1.1.0 ( '1' '1' '0' ':0' )
[DBG] openssl version: 1.1.1f
[DBG] Current version 1.1.1f ( '1' '1' '1' 'f:102' )
[DBG]   true
[DBG] Checking Signed Certificate Timestamps (SCTs)
[DBG] extracting cert attribute sct
The certificate contains signed certificate timestamps (SCT)
Skipping maximum validity test for non HTTP protocols
[DBG] cleaning up temporary files
[DBG]
[DBG] /tmp/vnkO3p
[DBG] /tmp/S6KdC0
[DBG] /tmp/rhkYGI
[DBG] /tmp/unPuqi
[DBG] /tmp/Hx7HiW
[DBG] /tmp/nD25wK
[DBG] /tmp/GP70jS
[DBG] /tmp/jT7eLW
[DBG] /tmp/BC77jb
[DBG] exiting with CRITICAL
[DBG] ALL_MSG =
[DBG]     SSL_CERT CRITICAL *.mailbox.org:pop3s: OCSP error (Error querying OCSP responder)
[DBG] number of errors = 1
SSL_CERT CRITICAL *.mailbox.org:pop3s: OCSP error (Error querying OCSP responder)|days_chain_elem1=192;20;15;; days_chain_elem2=1798;20;15;;
lukas@htznr2:~$
matteocorti / check_ssl_cert

ignore ocsp errors/timeout #431
