From e20328db60a0875c81eb3e995e6d86d9190eb46a Mon Sep 17 00:00:00 2001
From: Adrien Ferrand <ferrand.ad@gmail.com>
Date: Tue, 19 Feb 2019 10:30:37 +0100
Subject: [PATCH] Protect OCSP check against connection errors

---
 certbot/ocsp.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/certbot/ocsp.py b/certbot/ocsp.py
index 337477700..8c61142f8 100644
--- a/certbot/ocsp.py
+++ b/certbot/ocsp.py
@@ -67,6 +67,7 @@ class RevocationChecker(object):
         if not host or not url:
             return False
 
+        logger.error(url)
         if self.use_openssl_binary:
             return self._check_ocsp_openssl_bin(cert_path, chain_path, host, url)
         else:
@@ -137,11 +138,16 @@ def _check_ocsp_cryptography(cert_path, chain_path, url):
     builder = builder.add_certificate(cert, issuer, hashes.SHA1())
     request = builder.build()
     request_binary = request.public_bytes(serialization.Encoding.DER)
-    response = requests.post(url, data=request_binary,
-                             headers={'Content-Type': 'application/ocsp-request'})
-    if response.status_code != 200:
+    try:
+        response = requests.post(url, data=request_binary,
+                                 headers={'Content-Type': 'application/ocsp-request'})
+    except requests.exceptions.RequestException:
         logger.info("OCSP check failed for %s (are we offline?)", cert_path)
         return False
+    if response.status_code != 200:
+        logger.info("OCSP check failed for %s (HTTP status: %d)", cert_path, response.status_code)
+        return False
+
     response_ocsp = ocsp.load_der_ocsp_response(response.content)
 
     # Check OCSP response validity