「Certbot」- ocsp.int-x3.letsencrypt.org Read timed out @20210201

最新推荐文章于 2024-11-25 16:59:45 发布

原创最新推荐文章于 2024-11-25 16:59:45 发布 · 345 阅读

0 ·

CC 4.0 BY-SA版权

本文解析了使用Certbot进行SSL证书续期时遇到的OCSP检查超时错误，并提供了几种解决方案，包括忽略错误、手动配置HOSTS或使用代理。

问题描述

执行命令 certbot renew 返回如下错误：

2020-06-23 16:46:12,224:DEBUG:certbot._internal.main:certbot version: 1.5.0
2020-06-23 16:46:12,226:DEBUG:certbot._internal.main:Arguments: []
2020-06-23 16:46:12,227:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-dns-aliyun:dns-aliyun,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-06-23 16:46:12,252:DEBUG:certbot._internal.log:Root logging level set at 20
2020-06-23 16:46:12,253:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-06-23 16:46:12,305:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7fd6da256400> and installer <certbot._internal.cli.cli_utils._Default object at 0x7fd6da256400>
2020-06-23 16:46:12,356:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
2020-06-23 16:46:22,369:INFO:certbot.ocsp:OCSP check failed for /etc/letsencrypt/archive/harbor.example.com/cert3.pem (are we offline?)
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 421, in _make_request
    six.raise_from(e, None)
  File "<string>", line 3, in raise_from
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 416, in _make_request
    httplib_response = conn.getresponse()
  File "/usr/lib64/python3.6/http/client.py", line 1346, in getresponse
    response.begin()
  File "/usr/lib64/python3.6/http/client.py", line 307, in begin
    version, status, reason = self._read_status()
  File "/usr/lib64/python3.6/http/client.py", line 268, in _read_status
    line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
  File "/usr/lib64/python3.6/socket.py", line 586, in readinto
    return self._sock.recv_into(b)
socket.timeout: timed out

During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 438, in send
    timeout=timeout
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 720, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/util/retry.py", line 400, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 423, in _make_request
    self._raise_timeout(err=e, url=url, timeout_value=read_timeout)
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 331, in _raise_timeout
    self, url, "Read timed out. (read timeout=%s)" % timeout_value
requests.packages.urllib3.exceptions.ReadTimeoutError: HTTPConnectionPool(host='ocsp.int-x3.letsencrypt.org', port=80): Read timed out. (read timeout=10)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/certbot/ocsp.py", line 187, in _check_ocsp_cryptography
    timeout=timeout)
  File "/usr/lib/python3.6/site-packages/requests/api.py", line 112, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 530, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 651, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise ReadTimeout(e, request=request)
requests.exceptions.ReadTimeout: HTTPConnectionPool(host='ocsp.int-x3.letsencrypt.org', port=80): Read timed out. (read timeout=10)
2020-06-23 16:46:22,386:INFO:certbot._internal.renewal:Cert not yet due for renewal
2020-06-23 16:46:22,388:DEBUG:certbot._internal.plugins.selection:Requested authenticator certbot-dns-aliyun:dns-aliyun and installer None
2020-06-23 16:46:22,389:DEBUG:certbot._internal.renewal:no renewal failures

问题原因

The error in your latest screenshot is not fatal. It occurs when Certbot is checking whether the certificate is revoked, but if it times out, renewal will still proceed anyway.

You can see below the error that “all renewals succeeded”.

虽然会显示这些错误信息，但是问题不大，不会影响证书续期。可能是 DNS 污染导致的。

解决办法

两个方法：1）忽略这个错误，2）或者手动添加 HOSTS 配置。3）使用梯子解决（命令 certbot 支持 all_proxy 环境变量，可以指定代理）

我们使用后者，手动添加 /etc/hosts 配置：1）我们在海外服务器 ping ocsp.int-x3.letsencrypt.org 域名，2）将得到的地址写入本地 hosts 文件：

cat >> /etc/hosts <<EOF

# https://community.letsencrypt.org/t/ocsp-int-x3-letsencrypt-org-is-not-working-in-china/118552/7
96.17.68.81 ocsp.int-x3.letsencrypt.org
EOF

但是，如果 ocsp.int-x3.letsencrypt.org 地址发生修改，我们可能需要再次处理。如果条件允许，可以考虑使用梯子来避免这个问题。