Bug #15574
closed
Stunnel: Error resolving "r11.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY)
0%
Description
I have an issue with the stunnel package in pfsense 2.7.2. Since my certificate renewed a few days ago, I cannot connect to any host through stunnel. On the client I receive a time out. In the pfsense log I see the following messages:
Jun 24 15:21:38 stunnel 80915 LOG5[119]: Service [SerHomeCTRL1] accepted connection from xx.xx.xx.xx:54576
Jun 24 15:21:38 stunnel 80915 LOG5[119]: OCSP: Connecting the AIA responder "http://r11.o.lencr.org"
Jun 24 15:24:34 stunnel 80915 LOG3[119]: Error resolving "r11.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY)
Jun 24 15:24:34 stunnel 80915 LOG3[119]: OCSP: Failed to resolve the OCSP responder address
Jun 24 15:24:34 stunnel 80915 LOG3[119]: SSL_accept: /var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/record/rec_layer_s3.c:304: error:0A000126:SSL routines::unexpected eof while reading
Jun 24 15:24:34 stunnel 80915 LOG5[119]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
When I check from the console the host r11.o.lencr.org can be reached:ping r11.o.lencr.org
PING a1887.dscq.akamai.net (95.101.75.42): 56 data bytes
64 bytes from 95.101.75.42: icmp_seq=0 ttl=57 time=6.180 ms
64 bytes from 95.101.75.42: icmp_seq=1 ttl=57 time=6.998 ms
64 bytes from 95.101.75.42: icmp_seq=2 ttl=57 time=6.823 ms
It seems that the issue is related to Let's Encrypt switching from R3 to R11 intermediate certificate as R3 is now retiered (https://community.letsencrypt.org/t/issue-certificate-on-r3-intermediate/220243).
I am not sure how to resolve this issue.
Thanks
Updated by Jim Pingle 6 days ago
- Status changed from New to Not a Bug
Seems more like a local cert issue than a bug in stunnel. The usual way to fix such things is to delete the stale CA entries from the cert manager and force an ACME renewal so it fixes the trust chain properly. This site is not for support or diagnostic discussion, so keep follow up questions on the forum unless it's determined to be a bug in stunnel (the pfSense package code for stunnel -- NOT an upstream stunnel bug).
For assistance in solving problems, please post on the Netgate Forum .
See Reporting Issues with pfSense Software for more information.
Updated by A Schnee 6 days ago
Thank you for the quick reply.
I opened this bug after doing a full clean install of pfsense 2.7.2 and experienced the same issue after installing acme and stunnel. Also the same certs seems to work everywhere (ex for the web gui) except stunnel.
I also created https://forum.netgate.com/topic/188866/stunnel-error-resolving-r11-o-lencr-org-address-family-for-nodename-not-supported-eai_addrfamily
Updated by A Schnee 4 days ago
Hi, I went through several rounds of testing and I beleive that this is a bug somewhere in pfsense, stunnel.
Currrently:
1. The web interface of pfsense uses the sames cetificate without issues
2. Stunnel with the same certificate fails on pfsense (Error resolving "r11.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY))
3. Installing stunnel 5.68 on a Debian 12.5 the same certificate (pem file compied from pfsense) works wihtout issues.
I am trying to add this to the forum post (https://forum.netgate.com/topic/188866/stunnel-error-resolving-r11-o-lencr-org-address-family-for-nodename-not-supported-eai_addrfamily?_=1719401731041) but my comment is always marked as spam :(