Let's Encrypt 颁发的证书所包含的 CRL 链接完全被墙，可能导致所有用 LE 证书的网站在国内无法打开或者弹出警告。

今天用 curl 访问我的网站，发现报错：

$ curl -vv https://www.example.com/generate_204
08:43:01.876922 [0-0] * Host www.vvzero.com:443 was resolved.
08:43:01.880422 [0-0] * IPv6: 2408:1:1013:e900::1
08:43:01.883004 [0-0] * IPv4: 1.116.4.74
08:43:01.885021 [0-0] * [HTTPS-CONNECT] added
08:43:01.887128 [0-0] * [HTTPS-CONNECT] connect, init
08:43:01.889315 [0-0] * [HTTPS-CONNECT] connect, check h21
08:43:01.891506 [0-0] *   Trying [2408:1:1013:e900::1]:443...
08:43:01.894156 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:43:01.896145 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
08:43:01.898445 [0-0] * [HTTPS-CONNECT] connect, check h21
08:43:01.901163 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:43:01.903526 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
08:43:01.907055 [0-0] * [HTTPS-CONNECT] connect, check h21
08:43:01.910135 [0-0] * schannel: disabled automatic use of client certificate
08:43:01.917094 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
08:43:01.919009 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
08:43:01.924728 [0-0] * [HTTPS-CONNECT] connect, check h21
08:43:01.933717 [0-0] * schannel: next InitializeSecurityContext failed: CRYPT_E_REVOCATION_OFFLINE (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline.
08:43:01.939440 [0-0] * [HTTPS-CONNECT] connect, all failed
08:43:01.941833 [0-0] * [HTTPS-CONNECT] connect -> 35, done=0
08:43:01.944171 [0-0] * closing connection #0
08:43:01.947391 [0-0] * [HTTPS-CONNECT] close
08:43:01.949490 [0-0] * [SETUP] close
08:43:01.952020 [0-0] * [SETUP] destroy
08:43:01.954525 [0-0] * [HTTPS-CONNECT] destroy
curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_REVOCATION_OFFLINE (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline.

然后尝试访问证书里提供的 CRL 链接：

$ curl -v http://e5.c.lencr.org/80.crl
* Host e5.c.lencr.org:80 was resolved.
* IPv6: 2606:4700::6812:15d5, 2606:4700::6812:14d5
* IPv4: 104.18.20.213, 104.18.21.213
*   Trying [2606:4700::6812:15d5]:80...
* Connected to e5.c.lencr.org (2606:4700::6812:15d5) port 80
* using HTTP/1.x
> GET /80.crl HTTP/1.1
> Host: e5.c.lencr.org
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
* Recv failure: Connection was reset
* closing connection #0
curl: (56) Recv failure: Connection was reset

itdog 查询显示这个域名已经完全被墙，方法是 TCP RST 。

部分浏览器可能不会检查 CRL ，那就没问题。但可能更多的正规浏览器或者 APP 会检查，就会导致无法访问或者弹出警告。

小站站长可能会痛苦了，很多人可能没法上你的网站了。

bollld607

14 天前

南方某省电信，第一下能上，服务器响应 200 ok：
curl -v http://e5.c.lencr.org/80.crl
* Host e5.c.lencr.org:80 was resolved.
* IPv6: 2606:4700::6812:15d5, 2606:4700::6812:14d5
* IPv4: 104.18.21.213, 104.18.20.213
* Trying [2606:4700::6812:15d5]:80...
* Trying 104.18.21.213:80...
* Connected to e5.c.lencr.org (2606:4700::6812:15d5) port 80
* using HTTP/1.x
> GET /80.crl HTTP/1.1
> Host: e5.c.lencr.org
> User-Agent: curl/8.15.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Wed, 20 Aug 2025 08:25:08 GMT

再试一下就被 reset 了：
curl -v http://e5.c.lencr.org/80.crl
* Host e5.c.lencr.org:80 was resolved.
* IPv6: 2606:4700::6812:15d5, 2606:4700::6812:14d5
* IPv4: 104.18.21.213, 104.18.20.213
* Trying [2606:4700::6812:15d5]:80...
* Trying 104.18.21.213:80...
* Connected to e5.c.lencr.org (104.18.21.213) port 80
* using HTTP/1.x
> GET /80.crl HTTP/1.1
> Host: e5.c.lencr.org
> User-Agent: curl/8.15.0
> Accept: */*
>
* Request completely sent off
* Recv failure: Connection reset by peer
* closing connection #0
curl: (56) Recv failure: Connection reset by peer