In most times "TLS handshake error" for fast servers

Question

In most times "TLS handshake error" for fast servers

Closed this issue a year ago · 6 comments

Describe the bug

When running as normal user, check_ssl_cert fails in ~95% of all times with "TLS handshake error" if the host responds quickly. The slower the target host, the more likely it works, it seems.

Running check_ssl_cert as root works. Always.

Tried with v2.60.0 from Debian Bookworm and with v2.70.0: Same behaviour. It worked properly with v2.20 from Debian Bullseye.

To Reproduce

Run sudo -u nobody check_ssl_cert -v -H 127.0.0.1
Will fail with "TLS handshake error" nearly always. I get a "SSL_CERT OK" after 20-30 retries

Expected behavior
SSL_CERT OK

System (please complete the following information):

OS: Debian
OS version: 12
check_ssl_cert version: v2.70, v2.60
OpenSSL version (openssl version): 3.0.9

Additional context/output

Add any other context or output (e.g., from check_ssl_cert -d -v) about the problem here.

# sudo -u nobody check_ssl_cert -vv -H 127.0.0.1
expect not available
timeout available (/usr/bin/timeout)
cannot find nmap: disabling connection checks and ciphers checks
Found GNU date with timestamp support: enabling date computations
Using a proxy: cannot test connection
Downloading certificate to /tmp
CRITICAL error: TLS handshake error
SSL_CERT_CRITICAL 127.0.0.1:443: TLS handshake error

Answer 1 · 2023-07-08T20:51:08.000Z

Without the debugging output it will be difficult to see what's happening.

Answer 2 · 2023-07-09T08:45:05.000Z

Contrary to what I wrote yesterday, there seems to be no difference between running check_ssl_cert as root or user.

Failing:

# LANG=C /tmp/check_ssl_cert -H 127.0.0.1 -d
[DBG] check_ssl_cert version: 2.70.0
[DBG] System info: Linux ldap 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64 GNU/Linux
[DBG] /etc/os-release:
[DBG]   PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
[DBG]   NAME="Debian GNU/Linux"
[DBG]   VERSION_ID="12"
[DBG]   VERSION="12 (bookworm)"
[DBG]   VERSION_CODENAME=bookworm
[DBG]   ID=debian
[DBG]   HOME_URL="https://www.debian.org/"
[DBG]   SUPPORT_URL="https://www.debian.org/support"
[DBG]   BUG_REPORT_URL="https://bugs.debian.org/"
[DBG] User: root
[DBG] Shell: /bin/bash
[DBG]   GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-gnu)
[DBG]   Copyright (C) 2022 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
[DBG]   
[DBG]   This is free software; you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG] grep: /usr/bin/grep
[DBG]   grep (GNU grep) 3.8
[DBG]   Copyright (C) 2022 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
[DBG]   This is free software: you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG]   
[DBG]   Written by Mike Haertel and others; see
[DBG]   <https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS>.
[DBG] hostname: /usr/bin/hostname
[DBG] $PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[DBG] Command line arguments: -H 127.0.0.1 -d
[DBG]   TMPDIR = /tmp
[DBG] Required HTTP headers:   
[DBG] Unrequired HTTP headers: 
[DBG] curl binary needed. SSL Labs = , OCSP = 1, CURL = , IGNORE_CONNECTION_STATE=, FILE_URI=
[DBG] curl binary not specified
[DBG] curl available: /usr/bin/curl
[DBG] curl 7.88.1 (x86_64-pc-linux-gnu) libcurl/7.88.1 OpenSSL/3.0.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3
[DBG] Release-Date: 2023-02-20
[DBG] Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
[DBG] Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
[DBG] Proxy settings (after):
[DBG]   http_proxy  = 
[DBG]   https_proxy = 
[DBG]   HTTP_PROXY  = 
[DBG]   HTTPS_PROXY = 
[DBG]   s_client    =  
[DBG]   curl        =  
[DBG] Checking if the host is listed in /etc/hosts
[DBG] Host not found in /etc/hosts: checking DNS
[DBG] HOST = 127.0.0.1
[DBG] SNI                 = 
[DBG] HOST_NAME           = 127.0.0.1
[DBG] HOST_ADDR           = 127.0.0.1
[DBG] NAMES_TO_BE_CHECKED = __HOST__
[DBG] Checking if 127.0.0.1 is an IP address
[DBG] 127.0.0.1 is an IPv4 address
[DBG] HOST_IS_IP.         = 1
[DBG] Checking if 127.0.0.1 is an IP address
[DBG] 127.0.0.1 is an IPv4 address
[DBG] Removing __HOST__ to the names to be checked as the host is 'localhost' or an IP address
[DBG] NAMES_TO_BE_CHECKED = 
[DBG] -c specified: 15
[DBG] -w specified: 20
[DBG] Executing comparison '1728000 < 1296000' (precision 0)
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] ROOT_CA = 
[DBG] mktemp available: /usr/bin/mktemp
[DBG] file version: file-5.44
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] nmap binary not specified
[DBG] cannot find nmap: disabling connection checks and ciphers checks
[DBG] Checking IPs: host 127.0.0.1
[DBG] perl available: /usr/bin/perl
[DBG] date available: /usr/bin/date
[DBG] checking date version
[DBG] date computation type: GNU
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL info:
[DBG] OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
[DBG] built on: Tue May 30 16:12:36 2023 UTC
[DBG] platform: debian-amd64
[DBG] options:  bn(64,64)
[DBG] compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-HFEiK2/openssl-3.0.9=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
[DBG] OPENSSLDIR: "/usr/lib/ssl"
[DBG] ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
[DBG] MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
[DBG] Seeding source: os-specific
[DBG] CPUINFO: OPENSSL_ia32cap=0xffba22234f8bffff:0x400000283
[DBG] OpenSSL configuration directory: /usr/lib/ssl
[DBG] 140 root certificates installed by default
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername 127.0.0.1
[DBG] Proxy settings (before):
[DBG]   http_proxy  = 
[DBG]   https_proxy = 
[DBG]   HTTP_PROXY  = 
[DBG]   HTTPS_PROXY = 
[DBG] '/usr/bin/openssl s_client' supports '-name': using ldap
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost 127.0.0.1
[DBG] HOST_HEADER = 127.0.0.1
[DBG] Using a proxy: cannot test connection
[DBG] Sanity checks: OK
[DBG] temporary file /tmp/25chYH created
[DBG] temporary file /tmp/6eVMRm created
[DBG] temporary file /tmp/bTuZXg created
[DBG] temporary file /tmp/IpEz2e created
[DBG] temporary file /tmp/iXuySH created
[DBG] temporary file /tmp/9YQItg created
[DBG] temporary file /tmp/tkRaZn created
[DBG] Temporary files created
[DBG] 127.0.0.1 is an IPv4 address
[DBG] fetch_certificate: PROTOCOL = 
[DBG] exec_with_timeout printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/6eVMRm 1> /tmp/25chYH  
[DBG]   TIMEOUT_REASON = fetching certificate
[DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/6eVMRm 1> /tmp/25chYH
[DBG]   start time = 1688891956
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/6eVMRm 1> /tmp/25chYH"
[DBG]   end time = 1688891956
[DBG]   new timeout = 120
[DBG] Return value of the command = 1
[DBG] SSL error: verify depth is 6
[DBG] SSL error: depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
[DBG] SSL error: verify return:1
[DBG] SSL error: depth=1 C = US, O = Let's Encrypt, CN = R3
[DBG] SSL error: verify return:1
[DBG] SSL error: depth=0 CN = ldap.bingo-ev.de
[DBG] SSL error: verify return:1
[DBG] SSL error: 40E7DF18FA7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message    = TLS handshake error
[DBG] prepend_critical_message: CRITICAL_MSG   = 
[DBG] prepend_critical_message: ALL_MSG 1      = 
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] prepend_critical_message: ALL_MSG 2      = 
[DBG]     SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] CRITICAL ----------------------------------------
[DBG] cleaning up temporary files
[DBG]  /tmp/25chYH /tmp/6eVMRm /tmp/bTuZXg /tmp/IpEz2e /tmp/iXuySH /tmp/9YQItg /tmp/tkRaZn
[DBG] exiting with CRITICAL
[DBG] ALL_MSG = 
[DBG]     SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] number of errors = 1
SSL_CERT_CRITICAL 127.0.0.1:443: TLS handshake error

After ~20 consecutive TLS handshake errors, a SSL CERT OK:

# LANG=C /tmp/check_ssl_cert -H 127.0.0.1 -d
[DBG] check_ssl_cert version: 2.70.0
[DBG] System info: Linux ldap 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64 GNU/Linux
[DBG] /etc/os-release:
[DBG]   PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
[DBG]   NAME="Debian GNU/Linux"
[DBG]   VERSION_ID="12"
[DBG]   VERSION="12 (bookworm)"
[DBG]   VERSION_CODENAME=bookworm
[DBG]   ID=debian
[DBG]   HOME_URL="https://www.debian.org/"
[DBG]   SUPPORT_URL="https://www.debian.org/support"
[DBG]   BUG_REPORT_URL="https://bugs.debian.org/"
[DBG] User: root
[DBG] Shell: /bin/bash
[DBG]   GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-gnu)
[DBG]   Copyright (C) 2022 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
[DBG]   
[DBG]   This is free software; you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG] grep: /usr/bin/grep
[DBG]   grep (GNU grep) 3.8
[DBG]   Copyright (C) 2022 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
[DBG]   This is free software: you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG]   
[DBG]   Written by Mike Haertel and others; see
[DBG]   <https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS>.
[DBG] hostname: /usr/bin/hostname
[DBG] $PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[DBG] Command line arguments: -H 127.0.0.1 -d
[DBG]   TMPDIR = /tmp
[DBG] Required HTTP headers:   
[DBG] Unrequired HTTP headers: 
[DBG] curl binary needed. SSL Labs = , OCSP = 1, CURL = , IGNORE_CONNECTION_STATE=, FILE_URI=
[DBG] curl binary not specified
[DBG] curl available: /usr/bin/curl
[DBG] curl 7.88.1 (x86_64-pc-linux-gnu) libcurl/7.88.1 OpenSSL/3.0.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3
[DBG] Release-Date: 2023-02-20
[DBG] Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
[DBG] Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
[DBG] Proxy settings (after):
[DBG]   http_proxy  = 
[DBG]   https_proxy = 
[DBG]   HTTP_PROXY  = 
[DBG]   HTTPS_PROXY = 
[DBG]   s_client    =  
[DBG]   curl        =  
[DBG] Checking if the host is listed in /etc/hosts
[DBG] Host not found in /etc/hosts: checking DNS
[DBG] HOST = 127.0.0.1
[DBG] SNI                 = 
[DBG] HOST_NAME           = 127.0.0.1
[DBG] HOST_ADDR           = 127.0.0.1
[DBG] NAMES_TO_BE_CHECKED = __HOST__
[DBG] Checking if 127.0.0.1 is an IP address
[DBG] 127.0.0.1 is an IPv4 address
[DBG] HOST_IS_IP.         = 1
[DBG] Checking if 127.0.0.1 is an IP address
[DBG] 127.0.0.1 is an IPv4 address
[DBG] Removing __HOST__ to the names to be checked as the host is 'localhost' or an IP address
[DBG] NAMES_TO_BE_CHECKED = 
[DBG] -c specified: 15
[DBG] -w specified: 20
[DBG] Executing comparison '1728000 < 1296000' (precision 0)
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] ROOT_CA = 
[DBG] mktemp available: /usr/bin/mktemp
[DBG] file version: file-5.44
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] nmap binary not specified
[DBG] cannot find nmap: disabling connection checks and ciphers checks
[DBG] Checking IPs: host 127.0.0.1
[DBG] perl available: /usr/bin/perl
[DBG] date available: /usr/bin/date
[DBG] checking date version
[DBG] date computation type: GNU
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL info:
[DBG] OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
[DBG] built on: Tue May 30 16:12:36 2023 UTC
[DBG] platform: debian-amd64
[DBG] options:  bn(64,64)
[DBG] compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-HFEiK2/openssl-3.0.9=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
[DBG] OPENSSLDIR: "/usr/lib/ssl"
[DBG] ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
[DBG] MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
[DBG] Seeding source: os-specific
[DBG] CPUINFO: OPENSSL_ia32cap=0xffba22234f8bffff:0x400000283
[DBG] OpenSSL configuration directory: /usr/lib/ssl
[DBG] 140 root certificates installed by default
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername 127.0.0.1
[DBG] Proxy settings (before):
[DBG]   http_proxy  = 
[DBG]   https_proxy = 
[DBG]   HTTP_PROXY  = 
[DBG]   HTTPS_PROXY = 
[DBG] '/usr/bin/openssl s_client' supports '-name': using ldap
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost 127.0.0.1
[DBG] HOST_HEADER = 127.0.0.1
[DBG] Using a proxy: cannot test connection
[DBG] Sanity checks: OK
[DBG] temporary file /tmp/HNqUPQ created
[DBG] temporary file /tmp/6OLxZr created
[DBG] temporary file /tmp/zFO9WO created
[DBG] temporary file /tmp/V0yNOt created
[DBG] temporary file /tmp/e1fJgK created
[DBG] temporary file /tmp/7C7qI0 created
[DBG] temporary file /tmp/tG3uf9 created
[DBG] Temporary files created
[DBG] 127.0.0.1 is an IPv4 address
[DBG] fetch_certificate: PROTOCOL = 
[DBG] exec_with_timeout printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/6OLxZr 1> /tmp/HNqUPQ  
[DBG]   TIMEOUT_REASON = fetching certificate
[DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/6OLxZr 1> /tmp/HNqUPQ
[DBG]   start time = 1688892052
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/6OLxZr 1> /tmp/HNqUPQ"
[DBG]   end time = 1688892052
[DBG]   new timeout = 120
[DBG] Return value of the command = 1
[DBG] SSL error: verify depth is 6
[DBG] SSL error: depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
[DBG] SSL error: verify return:1
[DBG] SSL error: depth=1 C = US, O = Let's Encrypt, CN = R3
[DBG] SSL error: verify return:1
[DBG] SSL error: depth=0 CN = ldap.bingo-ev.de
[DBG] SSL error: verify return:1
[DBG] SSL error: 40D718F9AA7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message    = TLS handshake error
[DBG] prepend_critical_message: CRITICAL_MSG   = 
[DBG] prepend_critical_message: ALL_MSG 1      = 
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] prepend_critical_message: ALL_MSG 2      = 
[DBG]     SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] CRITICAL ----------------------------------------
[DBG] cleaning up temporary files
[DBG]  /tmp/HNqUPQ /tmp/6OLxZr /tmp/zFO9WO /tmp/V0yNOt /tmp/e1fJgK /tmp/7C7qI0 /tmp/tG3uf9
[DBG] exiting with CRITICAL
[DBG] ALL_MSG = 
[DBG]     SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] number of errors = 1
SSL_CERT_CRITICAL 127.0.0.1:443: TLS handshake error 
root@ldap:/tmp# LANG=C /tmp/check_ssl_cert -H 127.0.0.1  -d
[DBG] check_ssl_cert version: 2.70.0
[DBG] System info: Linux ldap 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64 GNU/Linux
[DBG] /etc/os-release:
[DBG]   PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
[DBG]   NAME="Debian GNU/Linux"
[DBG]   VERSION_ID="12"
[DBG]   VERSION="12 (bookworm)"
[DBG]   VERSION_CODENAME=bookworm
[DBG]   ID=debian
[DBG]   HOME_URL="https://www.debian.org/"
[DBG]   SUPPORT_URL="https://www.debian.org/support"
[DBG]   BUG_REPORT_URL="https://bugs.debian.org/"
[DBG] User: root
[DBG] Shell: /bin/bash
[DBG]   GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-gnu)
[DBG]   Copyright (C) 2022 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
[DBG]   
[DBG]   This is free software; you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG] grep: /usr/bin/grep
[DBG]   grep (GNU grep) 3.8
[DBG]   Copyright (C) 2022 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
[DBG]   This is free software: you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG]   
[DBG]   Written by Mike Haertel and others; see
[DBG]   <https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS>.
[DBG] hostname: /usr/bin/hostname
[DBG] $PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[DBG] Command line arguments: -H 127.0.0.1 -d
[DBG]   TMPDIR = /tmp
[DBG] Required HTTP headers:   
[DBG] Unrequired HTTP headers: 
[DBG] curl binary needed. SSL Labs = , OCSP = 1, CURL = , IGNORE_CONNECTION_STATE=, FILE_URI=
[DBG] curl binary not specified
[DBG] curl available: /usr/bin/curl
[DBG] curl 7.88.1 (x86_64-pc-linux-gnu) libcurl/7.88.1 OpenSSL/3.0.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3
[DBG] Release-Date: 2023-02-20
[DBG] Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
[DBG] Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
[DBG] Proxy settings (after):
[DBG]   http_proxy  = 
[DBG]   https_proxy = 
[DBG]   HTTP_PROXY  = 
[DBG]   HTTPS_PROXY = 
[DBG]   s_client    =  
[DBG]   curl        =  
[DBG] Checking if the host is listed in /etc/hosts
[DBG] Host not found in /etc/hosts: checking DNS
[DBG] HOST = 127.0.0.1
[DBG] SNI                 = 
[DBG] HOST_NAME           = 127.0.0.1
[DBG] HOST_ADDR           = 127.0.0.1
[DBG] NAMES_TO_BE_CHECKED = __HOST__
[DBG] Checking if 127.0.0.1 is an IP address
[DBG] 127.0.0.1 is an IPv4 address
[DBG] HOST_IS_IP.         = 1
[DBG] Checking if 127.0.0.1 is an IP address
[DBG] 127.0.0.1 is an IPv4 address
[DBG] Removing __HOST__ to the names to be checked as the host is 'localhost' or an IP address
[DBG] NAMES_TO_BE_CHECKED = 
[DBG] -c specified: 15
[DBG] -w specified: 20
[DBG] Executing comparison '1728000 < 1296000' (precision 0)
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] ROOT_CA = 
[DBG] mktemp available: /usr/bin/mktemp
[DBG] file version: file-5.44
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] nmap binary not specified
[DBG] cannot find nmap: disabling connection checks and ciphers checks
[DBG] Checking IPs: host 127.0.0.1
[DBG] perl available: /usr/bin/perl
[DBG] date available: /usr/bin/date
[DBG] checking date version
[DBG] date computation type: GNU
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL info:
[DBG] OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
[DBG] built on: Tue May 30 16:12:36 2023 UTC
[DBG] platform: debian-amd64
[DBG] options:  bn(64,64)
[DBG] compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-HFEiK2/openssl-3.0.9=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
[DBG] OPENSSLDIR: "/usr/lib/ssl"
[DBG] ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
[DBG] MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
[DBG] Seeding source: os-specific
[DBG] CPUINFO: OPENSSL_ia32cap=0xffba22234f8bffff:0x400000283
[DBG] OpenSSL configuration directory: /usr/lib/ssl
[DBG] 140 root certificates installed by default
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername 127.0.0.1
[DBG] Proxy settings (before):
[DBG]   http_proxy  = 
[DBG]   https_proxy = 
[DBG]   HTTP_PROXY  = 
[DBG]   HTTPS_PROXY = 
[DBG] '/usr/bin/openssl s_client' supports '-name': using ldap
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost 127.0.0.1
[DBG] HOST_HEADER = 127.0.0.1
[DBG] Using a proxy: cannot test connection
[DBG] Sanity checks: OK
[DBG] temporary file /tmp/Go8o0w created
[DBG] temporary file /tmp/OmJx4V created
[DBG] temporary file /tmp/rXWKlZ created
[DBG] temporary file /tmp/zrWwJK created
[DBG] temporary file /tmp/iXJ3Mu created
[DBG] temporary file /tmp/p6GmsD created
[DBG] temporary file /tmp/q9xfhS created
[DBG] Temporary files created
[DBG] 127.0.0.1 is an IPv4 address
[DBG] fetch_certificate: PROTOCOL = 
[DBG] exec_with_timeout printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/OmJx4V 1> /tmp/Go8o0w  
[DBG]   TIMEOUT_REASON = fetching certificate
[DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/OmJx4V 1> /tmp/Go8o0w
[DBG]   start time = 1688892053
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/OmJx4V 1> /tmp/Go8o0w"
[DBG]   end time = 1688892053
[DBG]   new timeout = 120
[DBG] Return value of the command = 1
[DBG] SSL error: verify depth is 6
[DBG] SSL error: depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
[DBG] SSL error: verify return:1
[DBG] SSL error: depth=1 C = US, O = Let's Encrypt, CN = R3
[DBG] SSL error: verify return:1
[DBG] SSL error: depth=0 CN = ldap.bingo-ev.de
[DBG] SSL error: verify return:1
[DBG] SSL error: 4017D596427F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message    = TLS handshake error
[DBG] prepend_critical_message: CRITICAL_MSG   = 
[DBG] prepend_critical_message: ALL_MSG 1      = 
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] prepend_critical_message: ALL_MSG 2      = 
[DBG]     SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] CRITICAL ----------------------------------------
[DBG] cleaning up temporary files
[DBG]  /tmp/Go8o0w /tmp/OmJx4V /tmp/rXWKlZ /tmp/zrWwJK /tmp/iXJ3Mu /tmp/p6Gm
[DBG] D /tmp/q9xfhS
[DBG] exiting with CRITICAL
[DBG] ALL_MSG = 
[DBG]     SSL_CERT CRITICAL 127.0.0.1: TLS handshake error
[DBG] number of errors = 1
SSL_CERT_CRITICAL 127.0.0.1:443: TLS handshake error 
root@ldap:/tmp# LANG=C /tmp/check_ssl_cert -H 127.0.0.1  -d
[DBG] check_ssl_cert version: 2.70.0
[DBG] System info: Linux ldap 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64 GNU/Linux
[DBG] /etc/os-release:
[DBG]   PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
[DBG]   NAME="Debian GNU/Linux"
[DBG]   VERSION_ID="12"
[DBG]   VERSION="12 (bookworm)"
[DBG]   VERSION_CODENAME=bookworm
[DBG]   ID=debian
[DBG]   HOME_URL="https://www.debian.org/"
[DBG]   SUPPORT_URL="https://www.debian.org/support"
[DBG]   BUG_REPORT_URL="https://bugs.debian.org/"
[DBG] User: root
[DBG] Shell: /bin/bash
[DBG]   GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-gnu)
[DBG]   Copyright (C) 2022 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
[DBG]   
[DBG]   This is free software; you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG] grep: /usr/bin/grep
[DBG]   grep (GNU grep) 3.8
[DBG]   Copyright (C) 2022 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
[DBG]   This is free software: you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG]   
[DBG]   Written by Mike Haertel and others; see
[DBG]   <https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS>.
[DBG] hostname: /usr/bin/hostname
[DBG] $PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[DBG] Command line arguments: -H 127.0.0.1 -d
[DBG]   TMPDIR = /tmp
[DBG] Required HTTP headers:   
[DBG] Unrequired HTTP headers: 
[DBG] curl binary needed. SSL Labs = , OCSP = 1, CURL = , IGNORE_CONNECTION_STATE=, FILE_URI=
[DBG] curl binary not specified
[DBG] curl available: /usr/bin/curl
[DBG] curl 7.88.1 (x86_64-pc-linux-gnu) libcurl/7.88.1 OpenSSL/3.0.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3
[DBG] Release-Date: 2023-02-20
[DBG] Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
[DBG] Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
[DBG] Proxy settings (after):
[DBG]   http_proxy  = 
[DBG]   https_proxy = 
[DBG]   HTTP_PROXY  = 
[DBG]   HTTPS_PROXY = 
[DBG]   s_client    =  
[DBG]   curl        =  
[DBG] Checking if the host is listed in /etc/hosts
[DBG] Host not found in /etc/hosts: checking DNS
[DBG] HOST = 127.0.0.1
[DBG] SNI                 = 
[DBG] HOST_NAME           = 127.0.0.1
[DBG] HOST_ADDR           = 127.0.0.1
[DBG] NAMES_TO_BE_CHECKED = __HOST__
[DBG] Checking if 127.0.0.1 is an IP address
[DBG] 127.0.0.1 is an IPv4 address
[DBG] HOST_IS_IP.         = 1
[DBG] Checking if 127.0.0.1 is an IP address
[DBG] 127.0.0.1 is an IPv4 address
[DBG] Removing __HOST__ to the names to be checked as the host is 'localhost' or an IP address
[DBG] NAMES_TO_BE_CHECKED = 
[DBG] -c specified: 15
[DBG] -w specified: 20
[DBG] Executing comparison '1728000 < 1296000' (precision 0)
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] ROOT_CA = 
[DBG] mktemp available: /usr/bin/mktemp
[DBG] file version: file-5.44
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] nmap binary not specified
[DBG] cannot find nmap: disabling connection checks and ciphers checks
[DBG] Checking IPs: host 127.0.0.1
[DBG] perl available: /usr/bin/perl
[DBG] date available: /usr/bin/date
[DBG] checking date version
[DBG] date computation type: GNU
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL info:
[DBG] OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
[DBG] built on: Tue May 30 16:12:36 2023 UTC
[DBG] platform: debian-amd64
[DBG] options:  bn(64,64)
[DBG] compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-HFEiK2/openssl-3.0.9=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
[DBG] OPENSSLDIR: "/usr/lib/ssl"
[DBG] ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
[DBG] MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
[DBG] Seeding source: os-specific
[DBG] CPUINFO: OPENSSL_ia32cap=0xffba22234f8bffff:0x400000283
[DBG] OpenSSL configuration directory: /usr/lib/ssl
[DBG] 140 root certificates installed by default
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername 127.0.0.1
[DBG] Proxy settings (before):
[DBG]   http_proxy  = 
[DBG]   https_proxy = 
[DBG]   HTTP_PROXY  = 
[DBG]   HTTPS_PROXY = 
[DBG] '/usr/bin/openssl s_client' supports '-name': using ldap
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost 127.0.0.1
[DBG] HOST_HEADER = 127.0.0.1
[DBG] Using a proxy: cannot test connection
[DBG] Sanity checks: OK
[DBG] temporary file /tmp/q4c9y3 created
[DBG] temporary file /tmp/Vpb7C2 created
[DBG] temporary file /tmp/NGYFSX created
[DBG] temporary file /tmp/ituaCq created
[DBG] temporary file /tmp/rojaAF created
[DBG] temporary file /tmp/SVscUM created
[DBG] temporary file /tmp/hOc9tC created
[DBG] Temporary files created
[DBG] 127.0.0.1 is an IPv4 address
[DBG] fetch_certificate: PROTOCOL = 
[DBG] exec_with_timeout printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/Vpb7C2 1> /tmp/q4c9y3  
[DBG]   TIMEOUT_REASON = fetching certificate
[DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/Vpb7C2 1> /tmp/q4c9y3
[DBG]   start time = 1688892054
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1
[DBG] Host: 127.0.0.1
[DBG] User-Agent: check_ssl_cert/2.70.0
[DBG] Connection: close
[DBG] 
[DBG] ' | /usr/bin/openssl s_client     -crlf  -connect 127.0.0.1:443 -servername 127.0.0.1   -showcerts -verify 6        2> /tmp/Vpb7C2 1> /tmp/q4c9y3"
[DBG]   end time = 1688892054
[DBG]   new timeout = 120
[DBG] Return value of the command = 0
[DBG] Negotiated protocol: 
[DBG] openssl_version 3.0.0
[DBG] Checking if OpenSSL version is at least 3.0.0 ( '3' '0' '0' ':0' )
[DBG] openssl version: OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
[DBG] Current version 3.0.9 ( '3' '0' '9' ':0' )
[DBG]   true
[DBG] Skipping TLS renegotiation check as OpenSSL 3.0.0 enforces it by default
[DBG] extracting cert attribute enddate
[DBG] extracting cert attribute startdate
[DBG] extracting cert attribute cn
[DBG] extracting cert attribute subject
[DBG] SUBJECT = subject=CN = ldap.bingo-ev.de
[DBG] extracting cert attribute serial
[DBG] SERIAL = 037CB07C237F28BF0AD0EEA3A68CD5B0EEDE
[DBG] extracting cert attribute version
[DBG] X509_VERSION = 3 (0x2)
[DBG] extracting cert attribute fingerprint
[DBG] FINGERPRINT = sha1 Fingerprint=2A:C0:AF:A1:18:F6:B7:B4:7B:BE:BF:E2:75:0D:B8:8C:02:47:C7:F0
[DBG] Checking if x509 supports the -ext option
[DBG] extracting cert attribute keyUsage
[DBG] Certificate purpose is not defined as critical
[DBG] extracting cert attribute oscp_uri_single
[DBG] extracting cert attribute oscp_uri
[DBG] OCSP_URI = http://r3.o.lencr.org
[DBG] Extracting issuers
[DBG]   Number of certificates in the chain: 3
[DBG] Checking certificate chain
[DBG]     extracting issuer for element 1
[DBG] extracting cert attribute issuer
[DBG] ELEMENT_ISSUER=Let's Encrypt
[DBG] ELEMENT_ISSUER=R3
[DBG] ISSUERS=Let's Encrypt
[DBG] ISSUERS=R3
[DBG]     extracting issuer for element 2
[DBG] extracting cert attribute issuer
[DBG] ELEMENT_ISSUER=Internet Security Research Group
[DBG] ELEMENT_ISSUER=ISRG Root X1
[DBG] ISSUERS=Let's Encrypt
[DBG] ISSUERS=R3
[DBG] ISSUERS=Internet Security Research Group
[DBG] ISSUERS=ISRG Root X1
[DBG]     extracting issuer for element 3
[DBG] extracting cert attribute issuer
[DBG] ELEMENT_ISSUER=Digital Signature Trust Co.
[DBG] ELEMENT_ISSUER=DST Root CA X3
[DBG] ISSUERS=Let's Encrypt
[DBG] ISSUERS=R3
[DBG] ISSUERS=Internet Security Research Group
[DBG] ISSUERS=ISRG Root X1
[DBG] ISSUERS=Digital Signature Trust Co.
[DBG] ISSUERS=DST Root CA X3
[DBG] Certificate chain check finished
[DBG] ISSUERS = 
[DBG] Let's Encrypt
[DBG] R3
[DBG] Internet Security Research Group
[DBG] ISRG Root X1
[DBG] Digital Signature Trust Co.
[DBG] DST Root CA X3
[DBG] extracting cert attribute issuer_uri_single
[DBG] extracting cert attribute issuer_uri
[DBG] extracting cert attribute pub_key_algo
[DBG] extracting cert attribute sig_algo
[DBG] subject=CN = ldap.bingo-ev.de
[DBG] CN         = ldap.bingo-ev.de
[DBG] CA         = Let's Encrypt
[DBG] CA         = R3
[DBG] CA         = Internet Security Research Group
[DBG] CA         = ISRG Root X1
[DBG] CA         = Digital Signature Trust Co.
[DBG] CA         = DST Root CA X3
[DBG] SERIAL     = 037CB07C237F28BF0AD0EEA3A68CD5B0EEDE
[DBG] FINGERPRINT= sha1 Fingerprint=2A:C0:AF:A1:18:F6:B7:B4:7B:BE:BF:E2:75:0D:B8:8C:02:47:C7:F0
[DBG] OCSP_URI   = http://r3.o.lencr.org
[DBG] ISSUER_URI = http://r3.i.lencr.org/
[DBG] rsaEncryption sha256WithRSAEncryption
[DBG] extracting cert attribute subjectAlternativeName
[DBG] subjectAlternativeName = ldap.bingo-ev.de
[DBG] Checking expiration date
[DBG] Number of certificates in CA chain: 3
[DBG] ------------------------------------------------------------------------------
[DBG] -- Checking element 1
[DBG] extracting cert attribute cn
[DBG] Checking expiration date of element 1 (ldap.bingo-ev.de)
[DBG] extracting cert attribute enddate
[DBG] Validity date on cert element 1 (ldap.bingo-ev.de) is Oct  7 03:28:49 2023 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Oct  7 03:28:49 2023 GMT' with GNU
[DBG] Computing '(1696649329-1688892055)/3600' (precision 0)
[DBG] Hours until Oct  7 03:28:49 2023 GMT: 2154
[DBG] Computing '2154/24' (precision 0)
[DBG] Computing '2154 * 3600' (precision 0)
[DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="ldap.bingo-ev.de", element="1"} 89
[DBG]   valid for 89 days
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 1 (ldap.bingo-ev.de)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 1 (ldap.bingo-ev.de)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 1
[DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="ldap.bingo-ev.de", element="1"} 0
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 1
[DBG] temporary file /tmp/e5unxZ created
[DBG] Storing the chain element in /tmp/e5unxZ
[DBG] Checking revocation via OCSP
[DBG] extracting cert attribute issuer_hash
[DBG] Issuer hash: 8d33f237
[DBG] extracting cert attribute issuer_uri
[DBG] Chain element issuer URIs: http://r3.i.lencr.org/
[DBG] checking issuer URIs: http://r3.i.lencr.org/
[DBG] OCSP: fetching issuer certificate http://r3.i.lencr.org/ to /tmp/SVscUM
[DBG] exec_with_timeout /usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.70.0' --location \"http://r3.i.lencr.org/\" > /tmp/SVscUM  
[DBG]   TIMEOUT_REASON = OCSP: fetching issuer http://r3.i.lencr.org/
[DBG] executing with timeout (120s): /usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.70.0' --location \"http://r3.i.lencr.org/\" > /tmp/SVscUM
[DBG]   start time = 1688892055
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.70.0' --location \"http://r3.i.lencr.org/\" > /tmp/SVscUM"
[DBG]   end time = 1688892055
[DBG]   new timeout = 120
[DBG] OCSP: issuer certificate type (1): Certificate, Version=3
[DBG] OCSP: issuer certificate type (2): Certificate, Version=3
[DBG] OCSP: converting issuer certificate from DER to PEM
[DBG] OCSP: issuer certificate type (3): PEM certificate
[DBG] extracting cert attribute oscp_uri
[DBG] OCSP: URIs = http://r3.o.lencr.org
[DBG] OCSP: URI = http://r3.o.lencr.org
[DBG] OCSP: host = r3.o.lencr.org
[DBG] openssl ocsp supports the -header option
[DBG] /usr/bin/openssl ocsp -header requires 'key=value'
[DBG] executing /usr/bin/openssl ocsp -timeout "120" -no_nonce -issuer /tmp/SVscUM -cert /tmp/e5unxZ  -url http://r3.o.lencr.org  -header HOST=r3.o.lencr.org
[DBG] OCSP: response = Response verify OK
[DBG] OCSP: response = /tmp/e5unxZ: good
[DBG] OCSP: response =  This Update: Jul  9 04:00:00 2023 GMT
[DBG] OCSP: response =  Next Update: Jul 16 03:59:58 2023 GMT
[DBG] Timeout before OCSP check: 120
[DBG] Timeout after OCSP check:  120
[DBG] ------------------------------------------------------------------------------
[DBG] -- Checking element 2
[DBG] extracting cert attribute cn
[DBG] Checking expiration date of element 2 (R3)
[DBG] extracting cert attribute enddate
[DBG] Validity date on cert element 2 (R3) is Sep 15 16:00:00 2025 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Sep 15 16:00:00 2025 GMT' with GNU
[DBG] Computing '(1757952000-1688892056)/3600' (precision 0)
[DBG] Hours until Sep 15 16:00:00 2025 GMT: 19183
[DBG] Computing '19183/24' (precision 0)
[DBG] Computing '19183 * 3600' (precision 0)
[DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="ldap.bingo-ev.de", element="2"} 799
[DBG]   valid for 799 days
[DBG] Executing comparison '19183 < 2154' (precision 0)
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] Executing comparison '799 < 89' (precision 0)
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 2 (R3)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 2 (R3)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 2
[DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="ldap.bingo-ev.de", element="2"} 0
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 2
[DBG] temporary file /tmp/s4y13X created
[DBG] Storing the chain element in /tmp/s4y13X
[DBG] Checking revocation via OCSP
[DBG] extracting cert attribute issuer_hash
[DBG] Issuer hash: 4042bcee
[DBG] extracting cert attribute issuer_uri
[DBG] Chain element issuer URIs: http://x1.i.lencr.org/
[DBG] checking issuer URIs: http://x1.i.lencr.org/
[DBG] OCSP: fetching issuer certificate http://x1.i.lencr.org/ to /tmp/SVscUM
[DBG] exec_with_timeout /usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.70.0' --location \"http://x1.i.lencr.org/\" > /tmp/SVscUM  
[DBG]   TIMEOUT_REASON = OCSP: fetching issuer http://x1.i.lencr.org/
[DBG] executing with timeout (120s): /usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.70.0' --location \"http://x1.i.lencr.org/\" > /tmp/SVscUM
[DBG]   start time = 1688892056
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.70.0' --location \"http://x1.i.lencr.org/\" > /tmp/SVscUM"
[DBG]   end time = 1688892056
[DBG]   new timeout = 120
[DBG] OCSP: issuer certificate type (1): Certificate, Version=3
[DBG] OCSP: issuer certificate type (2): Certificate, Version=3
[DBG] OCSP: converting issuer certificate from DER to PEM
[DBG] OCSP: issuer certificate type (3): PEM certificate
[DBG] extracting cert attribute oscp_uri
[DBG] OCSP: URIs = 
[DBG] ------------------------------------------------------------------------------
[DBG] -- Checking element 3
[DBG] extracting cert attribute cn
[DBG] Checking expiration date of element 3 (ISRG Root X1)
[DBG] extracting cert attribute enddate
[DBG] Validity date on cert element 3 (ISRG Root X1) is Sep 30 18:14:03 2024 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Sep 30 18:14:03 2024 GMT' with GNU
[DBG] Computing '(1727720043-1688892056)/3600' (precision 0)
[DBG] Hours until Sep 30 18:14:03 2024 GMT: 10785
[DBG] Computing '10785/24' (precision 0)
[DBG] Computing '10785 * 3600' (precision 0)
[DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="ldap.bingo-ev.de", element="3"} 449
[DBG]   valid for 449 days
[DBG] Executing comparison '10785 < 2154' (precision 0)
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] Executing comparison '449 < 89' (precision 0)
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 3 (ISRG Root X1)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 3 (ISRG Root X1)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 3
[DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="ldap.bingo-ev.de", element="3"} 0
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 3
[DBG] temporary file /tmp/ypGCoV created
[DBG] Storing the chain element in /tmp/ypGCoV
[DBG] Checking revocation via OCSP
[DBG] extracting cert attribute issuer_hash
[DBG] Issuer hash: 2e5ac55d
[DBG] extracting cert attribute issuer_uri
[DBG] Chain element issuer URIs: http://apps.identrust.com/roots/dstrootcax3.p7c
[DBG] checking issuer URIs: http://apps.identrust.com/roots/dstrootcax3.p7c
[DBG] OCSP: fetching issuer certificate http://apps.identrust.com/roots/dstrootcax3.p7c to /tmp/SVscUM
[DBG] exec_with_timeout /usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.70.0' --location \"http://apps.identrust.com/roots/dstrootcax3.p7c\" > /tmp/SVscUM  
[DBG]   TIMEOUT_REASON = OCSP: fetching issuer http://apps.identrust.com/roots/dstrootcax3.p7c
[DBG] executing with timeout (120s): /usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.70.0' --location \"http://apps.identrust.com/roots/dstrootcax3.p7c\" > /tmp/SVscUM
[DBG]   start time = 1688892057
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl    --silent --user-agent 'check_ssl_cert/2.70.0' --location \"http://apps.identrust.com/roots/dstrootcax3.p7c\" > /tmp/SVscUM"
[DBG]   end time = 1688892057
[DBG]   new timeout = 120
[DBG] OCSP: issuer certificate type (1): DER Encoded PKCS#7 Signed Data
[DBG] OCSP: converting issuer certificate from PKCS #7 to PEM
[DBG] OCSP: issuer certificate type (2): ASCII text
[DBG] OCSP: issuer certificate type (3): ASCII text
[DBG] extracting cert attribute oscp_uri
[DBG] OCSP: URIs = 
[DBG] ------------------------------------------------------------------------------
[DBG] extracting cert attribute email
[DBG] EMAIL = 
[DBG] openssl_version 1.1.0
[DBG] Checking if OpenSSL version is at least 1.1.0 ( '1' '1' '0' ':0' )
[DBG] openssl version: 3.0.9
[DBG] Current version 3.0.9 ( '3' '0' '9' ':0' )
[DBG]   true
[DBG] Checking Signed Certificate Timestamps (SCTs)
[DBG] extracting cert attribute sct
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Oct  7 03:28:49 2023 GMT' with GNU
[DBG] Computing '(1696649329-1688892057)/3600' (precision 0)
[DBG] Hours until Oct  7 03:28:49 2023 GMT: 2154
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Jul  9 03:28:50 2023 GMT' with GNU
[DBG] Computing '(1688873330-1688892057)/3600' (precision 0)
[DBG] Hours until Jul  9 03:28:50 2023 GMT: -5
[DBG] Computing '(2154 - -5)/24' (precision 0)
[DBG] Executing comparison '89 >= 1' (precision 0)
[DBG]   bc result = 1
[DBG]   returning 0
[DBG] output parameters: CA_ISSUER_MATCHED     = Let's Encrypt
[DBG] output parameters: CHECKEDNAMES          = 
[DBG] output parameters: CN                    = ldap.bingo-ev.de
[DBG] output parameters: DATE                  = Oct  7 03:28:49 2023 GMT
[DBG] output parameters: DAYS_VALID            =  (expires in 89 days)
[DBG] output parameters: DYSPLAY_CN            = 'ldap.bingo-ev.de' 
[DBG] output parameters: OPENSSL_COMMAND       = x509
[DBG] output parameters: SELFSIGNEDCERT        = 
[DBG] output parameters: SHORTNAME             = SSL_CERT
[DBG] output parameters: OCSP_EXPIRES_IN_HOURS = 
[DBG] output parameters: SSL_LABS_HOST_GRADE   = 
[DBG] output parameters: PROTOCOL              = https
SSL_CERT OK - 127.0.0.1:443, https, x509 certificate 'ldap.bingo-ev.de' from 'Let's Encrypt' valid until Oct  7 03:28:49 2023 GMT (expires in 89 days)|days_chain_elem1=89;20;15;; days_chain_elem2=799;20;15;; days_chain_elem3=449;20;15;;
[DBG] cleaning up temporary files
[DBG]  /tmp/q4c9y3 /tmp/Vpb7C2 /tmp/NGYFSX /tmp/ituaCq /tmp/rojaAF /tmp/SV
[DBG] cUM /tmp/hOc9tC /tmp/e5unxZ /tmp/
[DBG] 4y13X /tmp/ypGCoV

The HTTP server on port 443 is uwsgi 2.0.21. No problems when interacting with it with a browser.

Answer 3 · 2023-07-09T17:47:38.000Z

The error is generated by OpenSSL:

/usr/bin/openssl s_client -crlf -connect 127.0.0.1:443 -servername 127.0.0.1 -showcerts -verify 6

What happens if you execute the command directly?

Answer 4 · 2023-07-09T17:52:10.000Z

The error could be caused by a wrong handshake. Can you try with a different cipher or TLS version?

See: https://serverfault.com/questions/1126612/ssl-error-unexpected-eof-while-reading-on-same-server-as-the-originating-reque

Answer 5 · 2023-07-09T21:20:56.000Z

Indeed the openssl's output ends with:

read R BLOCK
40A71FB3D57F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:

There's a five second pause after "read R BLOCK". I run the command quite often, output is always the same.
So it looks like the thing in your serverfault link.

Tried the openssl command with with different ciphers and TLS versions, e.g. usr/bin/openssl s_client -crlf -connect 127.0.0.1:443 -servername 127.0.0.1 -showcerts -verify 6 -tls1_2 , usr/bin/openssl s_client -crlf -connect 127.0.0.1:443 -servername 127.0.0.1 -showcerts -verify 6 -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 and such: It ends always with "unexpected eof while reading".

I'm still confused that check_ssl_cert reports "SSL_CERT OK" in rare cases.

Answer 6 · 2023-07-10T07:20:34.000Z

It could be that the server and OpenSSL, sporadically, agree on a different cypher.
As the issue is not related to check_ssl_cert, I'll close the issue.