SSL_CERT CRITICAL: Timeout after 120 seconds (fetching certificate)
rrrkkk opened this issue · 2 comments
Describe the bug
check_ssl_cert fails with timeout
To Reproduce
/check_ssl_cert -H pas.fi -p 443 -P https -w 21 -c 14
SSL_CERT CRITICAL: Timeout after 120 seconds (fetching certificate)
Expected behavior
I expected the check to come back clean - when I visit the site w/ browser, the cert appears to be fine.
System (please complete the following information):
- OS: Debian
- OS version: 11
- check_ssl_cert version: 2.60.0
- OpenSSL version (
openssl version): 1.1.1n
Additional context/output
Add any other context or output (e.g., from check_ssl_cert -d -v) about the problem here.
This started about 12 hours ago, w/ check_ssl_cert version 2.2.0. Verified w/ the latest release.
The cert is from Lets Encrypt.
Output of
check_ssl_cert -H pas.fi -p 443 -P https -w 21 -c 14 -d -v
[DBG] check_ssl_cert version: 2.60.0
[DBG] System info: Linux heh.d9.fi 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64 GNU/Linux
[DBG] /etc/os-release:
[DBG] PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
[DBG] NAME="Debian GNU/Linux"
[DBG] VERSION_ID="11"
[DBG] VERSION="11 (bullseye)"
[DBG] VERSION_CODENAME=bullseye
[DBG] ID=debian
[DBG] HOME_URL="https://www.debian.org/"
[DBG] SUPPORT_URL="https://www.debian.org/support"
[DBG] BUG_REPORT_URL="https://bugs.debian.org/"
[DBG] User: r
[DBG] Shell: /bin/bash
[DBG] GNU bash, version 5.1.4(1)-release (x86_64-pc-linux-gnu)
[DBG] Copyright (C) 2020 Free Software Foundation, Inc.
[DBG] License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
[DBG]
[DBG] This is free software; you are free to change and redistribute it.
[DBG] There is NO WARRANTY, to the extent permitted by law.
[DBG] grep: grep
[DBG] grep (GNU grep) 3.6
[DBG] Copyright (C) 2020 Free Software Foundation, Inc.
[DBG] License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html.
[DBG] This is free software: you are free to change and redistribute it.
[DBG] There is NO WARRANTY, to the extent permitted by law.
[DBG]
[DBG] Written by Mike Haertel and others; see
[DBG] https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS.
[DBG] hostname: /usr/bin/hostname
[DBG] $PATH: /usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/home/r/bin
[DBG] Command line arguments: -H pas.fi -p 443 -P https -w 21 -c 14 -d -v
[DBG] TMPDIR = /tmp
[DBG] Required HTTP headers:
[DBG] Unrequired HTTP headers:
[DBG] Adding the domain if missing
[DBG] HOST = pas.fi
[DBG] SNI =
[DBG] HOST_NAME = pas.fi
[DBG] HOST_ADDR = pas.fi
[DBG] NAMES_TO_BE_CHECKED = HOST
[DBG] Checking if pas.fi is an IP address
[DBG] pas.fi is not an IP address
[DBG] HOST_IS_IP. = 0
[DBG] Checking if pas.fi is an IP address
[DBG] pas.fi is not an IP address
[DBG] Adding pas.fi to NAMES_TO_BE_CHECKED
[DBG] NAMES_TO_BE_CHECKED = pas.fi
[DBG] curl binary needed. SSL Labs = , OCSP = 1, CURL = , IGNORE_CONNECTION_STATE=, FILE_URI=
[DBG] curl binary not specified
[DBG] curl available: /usr/bin/curl
[DBG] curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1n zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3
[DBG] Release-Date: 2020-12-09
[DBG] Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
[DBG] Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
[DBG] -c specified: 14
[DBG] -w specified: 21
[DBG] Executing comparison '1814400 <= 1209600'
[DBG] bc result = 0
[DBG] returning 1
[DBG] ROOT_CA =
[DBG] mktemp available: /usr/bin/mktemp
[DBG] file version: file-5.39
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] nmap binary not specified
cannot find nmap: disabling connection checks and ciphers checks
[DBG] cannot find nmap: disabling connection checks and ciphers checks
[DBG] Checking IPs: host pas.fi
[DBG] perl available: /usr/bin/perl
[DBG] date available: /usr/bin/date
[DBG] checking date version
[DBG] date computation type: GNU
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL info:
[DBG] OpenSSL 1.1.1n 15 Mar 2022
[DBG] built on: Fri Jun 24 20:22:19 2022 UTC
[DBG] platform: debian-amd64
[DBG] options: bn(64,64) rc4(8x,int) des(int) blowfish(ptr)
[DBG] compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-qQYEec/openssl-1.1.1n=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
[DBG] OPENSSLDIR: "/usr/lib/ssl"
[DBG] ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
[DBG] Seeding source: os-specific
[DBG] OpenSSL configuration directory: /usr/lib/ssl
[DBG] 0 root certificates installed by default
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername pas.fi
[DBG] Proxy settings (before):
[DBG] http_proxy =
[DBG] https_proxy =
[DBG] HTTP_PROXY =
[DBG] HTTPS_PROXY =
[DBG] Proxy settings (after):
[DBG] http_proxy =
[DBG] https_proxy =
[DBG] HTTP_PROXY =
[DBG] HTTPS_PROXY =
[DBG] s_client =
[DBG] curl =
[DBG] '/usr/bin/openssl s_client' supports '-name': using heh.d9.fi
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost pas.fi
[DBG] HOST_HEADER = pas.fi
Using a proxy: cannot test connection
[DBG] Using a proxy: cannot test connection
[DBG] Sanity checks: OK
[DBG] temporary file /tmp/UFadic created
[DBG] temporary file /tmp/8nfePP created
[DBG] temporary file /tmp/Bj8Ffb created
[DBG] temporary file /tmp/kJ3NvS created
[DBG] temporary file /tmp/uK5kCC created
[DBG] temporary file /tmp/pp3q8a created
[DBG] temporary file /tmp/2UEaWo created
[DBG] Temporary files created
[DBG] pas.fi is not an IP address
[DBG] fetch_certificate: PROTOCOL = https
[DBG] exec_with_timeout printf 'HEAD / HTTP/1.1
[DBG] Host: pas.fi
[DBG] User-Agent: check_ssl_cert/2.60.0
[DBG] Connection: close
[DBG]
[DBG] ' | /usr/bin/openssl s_client -crlf -connect pas.fi:443 -servername pas.fi -showcerts -verify 6 2> /tmp/8nfePP 1> /tmp/UFadic
[DBG] TIMEOUT_REASON = fetching certificate
[DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1
[DBG] Host: pas.fi
[DBG] User-Agent: check_ssl_cert/2.60.0
[DBG] Connection: close
[DBG]
[DBG] ' | /usr/bin/openssl s_client -crlf -connect pas.fi:443 -servername pas.fi -showcerts -verify 6 2> /tmp/8nfePP 1> /tmp/UFadic
[DBG] start time = 1678384906
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1
[DBG] Host: pas.fi
[DBG] User-Agent: check_ssl_cert/2.60.0
[DBG] Connection: close
[DBG]
[DBG] ' | /usr/bin/openssl s_client -crlf -connect pas.fi:443 -servername pas.fi -showcerts -verify 6 2> /tmp/8nfePP 1> /tmp/UFadic"
CRITICAL error: Timeout after 120 seconds
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message = Timeout after 120 seconds
[DBG] prepend_critical_message: CRITICAL_MSG =
[DBG] prepend_critical_message: ALL_MSG 1 =
[DBG] prepend_critical_message: MSG 2 = SSL_CERT CRITICAL pas.fi:https: Timeout after 120 seconds
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL pas.fi:https: Timeout after 120 seconds
[DBG] prepend_critical_message: ALL_MSG 2 =
[DBG] SSL_CERT CRITICAL pas.fi:https: Timeout after 120 seconds
[DBG] CRITICAL ----------------------------------------
[DBG] cleaning up temporary files
[DBG] /tmp/UFadic /tmp/8nfePP /tmp/Bj8Ffb /tmp/kJ3NvS /tmp/uK5kCC /tmp/pp3q8a /tmp/2UEaWo
[DBG] exiting with CRITICAL
[DBG] ALL_MSG =
[DBG] SSL_CERT CRITICAL pas.fi:https: Timeout after 120 seconds
[DBG] number of errors = 1
SSL_CERT CRITICAL: Timeout after 120 seconds (fetching certificate)
Thanks for the report. Using Debian 11 and the same OpenSSL version I was able to run several tests on your host without any problem.
I tested several times with your host on Debian 11 with the same OpenSSL version from Switzerland and Germany without any problem. Seems rather a network issue.