OCSP: The root CA certificate was not found
Hi, this is my first post on this mailing list. I did extensive search and tried to resolve the issue I have in pfsense with stunnel. Pfsense CE 2.7.2 uses stunnel 5.71. In my config I created certificate using the acme package with Let's ecrypt. The created certificate works fine in pfsense wenb consol and also with stunnel 5.68 on Debian, but it does not work with stunnel 5.71 on Pfsense. All connections going through stunnel get are timing out and the stunnel log has the following in it: ``` Jul 19 00:53:08 router1 stunnel[2933]: LOG5[6]: Service [XXXX] accepted connection from xxxxxx:46415 Jul 19 00:53:08 router1 stunnel[2933]: LOG6[6]: Peer certificate not required Jul 19 00:53:08 router1 stunnel[2933]: LOG6[6]: OCSP: The root CA certificate was not found Jul 19 00:53:08 router1 stunnel[2933]: LOG5[6]: OCSP: Connecting the AIA responder "http://r10.o.lencr.org" Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: Error resolving "r10.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY) Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: OCSP: Failed to resolve the OCSP responder address Jul 19 00:56:05 router1 stunnel[2933]: LOG6[6]: OCSP: No OCSP stapling response to send Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: SSL_accept: /var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/record/rec_layer_s3.c:304: error:0A000126:SSL routines::unexpected eof while reading Jul 19 00:56:05 router1 stunnel[2933]: LOG5[6]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket ``` So far i tried: 1. Creating new certificate with acme 2. Unisntall and reinstall both acme and stunnel 3. Tried new cetrificate provider (zerossl) 4. tried adding "OCSPrequire = no" to stunnel.conf based on https://www.stunnel.org/mailman3/hyperkitty/list/stunnel-users@stunnel.org/t... None of the above fixed the issue and not I am not sure how to resolve it. I have another Pfsense installation where all these things work fine. I compaired the stunnel.conf files, but there are identical (except the certificate ofcourse). I looked into the source code and found that the error message is comming from ocsp_params_append_root_ca function in opcs.c, but I ma not a C programer and neither familiar with the stunnel code to figure out more. I hope someone from the stunnel list has some ideas how to proceed based on the logs above. Thank you!
On 7/26/24 3:10 PM, akos.schneemaier@gmail.com wrote:
Jul 19 00:53:08 router1 stunnel[2933]: LOG6[6]: OCSP: The root CA certificate was not found There seem to be 3 separate issues with your device:
1. So your stunnel does not trust OCSP responses of your own certificate. Consider adding your trusted root to your CAfile. This is no an error though.
Jul 19 00:53:08 router1 stunnel[2933]: LOG5[6]: OCSP: Connecting the AIA responder"http://r10.o.lencr.org" Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: Error resolving "r10.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY) Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: OCSP: Failed to resolve the OCSP responder address
2. This is a more severe problem: your pfSense could not resolve the IP address of your OCSP responder. Do you have any idea that happens on your platform? Do you need to add r10.o.lencr.org to your /etc/hosts (or whatever pfSense equivalent might be)?
Jul 19 00:56:05 router1 stunnel[2933]: LOG6[6]: OCSP: No OCSP stapling response to send Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: SSL_accept: /var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/record/rec_layer_s3.c:304: error:0A000126:SSL routines::unexpected eof while reading Jul 19 00:56:05 router1 stunnel[2933]: LOG5[6]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
3. So your client has disconnected before negotiating TLS. Which TLS client did you use to test it? Consider using openssl s_client, as it will provide you with useful diagnostic data. Consider also sending your stunnel.conf next time you ask for help with your configuration. 8-) Best regards, Mike
I'm having a similar problem trying to set up stunnel. I'm trying to stunnel a ws:// connection to wss:// I'm using a Let's Encrypt certificate that works fine for Apache and for Postfix. I'm getting this in the logs: 2024.08.06 17:01:17 LOG7[ui]: Service [realms] accepted (FD=3) from 142.112.150.54:63628 2024.08.06 17:01:17 LOG7[0]: Service [realms] started 2024.08.06 17:01:17 LOG7[0]: Setting local socket options (FD=3) 2024.08.06 17:01:17 LOG7[0]: Option TCP_NODELAY set on local socket 2024.08.06 17:01:17 LOG5[0]: Service [realms] accepted connection from 142.112.150.54:63628 2024.08.06 17:01:17 LOG6[0]: Peer certificate not required 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): before/accept initialization 2024.08.06 17:01:17 LOG7[0]: Get session callback 2024.08.06 17:01:17 LOG7[0]: Initializing application specific data for session authenticated 2024.08.06 17:01:17 LOG7[0]: SNI: no virtual services defined 2024.08.06 17:01:17 LOG7[0]: OCSP stapling: Server callback called 2024.08.06 17:01:17 LOG6[0]: OCSP: The root CA certificate was not found 2024.08.06 17:01:17 LOG5[0]: OCSP: Connecting the AIA responder "http://r11.o.lencr.org" 2024.08.06 17:01:17 LOG6[0]: s_connect: connecting 23.223.17.211:80 2024.08.06 17:01:17 LOG7[0]: s_connect: s_poll_wait 23.223.17.211:80: waiting 5 seconds 2024.08.06 17:01:17 LOG7[0]: FD=6 events=0x2001 revents=0x0 2024.08.06 17:01:17 LOG7[0]: FD=10 events=0x2005 revents=0x1 2024.08.06 17:01:17 LOG5[0]: s_connect: connected 23.223.17.211:80 2024.08.06 17:01:17 LOG7[0]: OCSP: Connected r11.o.lencr.org:80 2024.08.06 17:01:17 LOG7[0]: OCSP: Response received 2024.08.06 17:01:17 LOG7[0]: OCSP: Validate the OCSP response 2024.08.06 17:01:17 LOG3[0]: OCSP: OCSP responder error: 6: unauthorized 2024.08.06 17:01:17 LOG6[0]: OCSP: No OCSP stapling response to send 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 read client hello B 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 write server hello A 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 write certificate A 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 write key exchange A 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 write certificate request A 2024.08.06 17:01:17 LOG7[0]: TLS state (accept): SSLv3 flush data 2024.08.06 17:01:17 LOG7[0]: TLS alert (read): fatal: certificate unknown 2024.08.06 17:01:17 LOG3[0]: SSL_accept: s3_pkt.c:1493: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown 2024.08.06 17:01:17 LOG5[0]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2024.08.06 17:01:17 LOG7[0]: Deallocating application specific data for session connect address 2024.08.06 17:01:17 LOG7[0]: Local descriptor (FD=3) closed 2024.08.06 17:01:17 LOG7[0]: Service [realms] finished (0 left) This is my current stunnel.conf: ;setuid = nobody ;setgid = nobody debug = 7 foreground = yes ;output = /var/log/stunnel.log verify = 0 [realms] accept = 4043 connect = 4040 TIMEOUTclose=0 cert = /usr/local/etc/stunnel/stunnel.pem CAfile = /usr/local/etc/stunnel/cacert.pem ;fips=no ;sslVersion = TLSv1.2 sslVersion = all ;options = NO_SSLv2 ;options = NO_SSLv3
participants (3)
-
akos.schneemaier@gmail.com -
derekbsnider@gmail.com -
Michał Trojnara