Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Stunnel: Error resolving "r11.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY)

    Scheduled Pinned Locked Moved ACME
    2 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      schnee
      last edited by

      I have an issue with the stunnel package in pfsense 2.7.2. Since my certificate renewed a few days ago, I cannot connect to any host through stunnel. On the client I receive a time out. In the pfsense log I see the following messages:

      Jun 24 15:21:38 stunnel 80915 LOG5[119]: Service [SerHomeCTRL1] accepted connection from xx.xx.xx.xx:54576
Jun 24 15:21:38 stunnel 80915 LOG5[119]: OCSP: Connecting the AIA responder "http://r11.o.lencr.org"
Jun 24 15:24:34 stunnel 80915 LOG3[119]: Error resolving "r11.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY)
Jun 24 15:24:34 stunnel 80915 LOG3[119]: OCSP: Failed to resolve the OCSP responder address
Jun 24 15:24:34 stunnel 80915 LOG3[119]: SSL_accept: /var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/record/rec_layer_s3.c:304: error:0A000126:SSL routines::unexpected eof while reading
Jun 24 15:24:34 stunnel 80915 LOG5[119]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

      When I check from the console the host r11.o.lencr.org can be reached:

      ping r11.o.lencr.org
PING a1887.dscq.akamai.net (95.101.75.42): 56 data bytes
64 bytes from 95.101.75.42: icmp_seq=0 ttl=57 time=6.180 ms
64 bytes from 95.101.75.42: icmp_seq=1 ttl=57 time=6.998 ms
64 bytes from 95.101.75.42: icmp_seq=2 ttl=57 time=6.823 ms

      It seems that the issue is related to Let's Encrypt switching from R3 to R11 intermediate certificate as R3 is now retiered (https://community.letsencrypt.org/t/issue-certificate-on-r3-intermediate/220243).

      I opened https://redmine.pfsense.org/issues/15574 but it was suggested that this is not a bug but an installation issue. However I received the same issue in a clean pfsense install with acme and stunnel.

      I am not sure what should be my next step and how to resolve this issue.

      Thanks

      S 1 Reply Last reply Reply Quote 0
      • S
        schnee @schnee
        last edited by

        Hi, I went through several rounds of testing and I beleive that this is a bug somewhere in pfsense, stunnel.

        Currrently:

        1. The web interface of pfsense uses the sames cetificate without issues
        2. Stunnel with the same certificate fails on pfsense (Error resolving "r11.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY))
        3. Installing stunnel 5.68 on a Debian 12.5 the same certificate (pem file compied from pfsense) works wihtout issues.
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.