Forum Discussion
Phong_Tang_7213
Altostratus
AltostratusAPM SSO OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'
Hi Gurus
I am trying to configure SSO and OCSP Auth. But it fail:
2016-06-06 17:34:14
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: New session from client IP 172.16.69.132 (ST=/CC=/C=) at VIP 172.16.69.224 Listener /Common/VS_WEB_CERT_OCSP (Reputation=Unknown)
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Following rule 'fallback' from item 'OCSP Auth' to ending 'Deny'
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Access policy result: Logon_Deny
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win7 CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Session deleted (policy_result).
Why does it failed to connect to OCSP?
Thanks
Phong
Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"
i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.
the CRLDP works great only the OCSP with this issue
- Kevin_Stewart
Employee
Are you certain that
ocsp.viettel-ca.vn/is the correct URL? OCSP is bound in an HTTP request, so the URL should probably be
http://ocsp.viettel-ca.vn/ - Kevin_Stewart
Okay, with "Ignore AIA" unchecked the OCSP URL is going to come from the client certificate AIA field, and it does appear to be doing that. The next thing I'd do is test it manually. From the command line enter the following:
openssl ocsp -issuer [issuer cert] -cert [test cert] -CAfile [CA cert] -url http://ocsp.viettel-ca.vn/where:
issuer cert = the CA certificate file of the issuer of the test cert
test cert = the certificate you're testing
CA cert = the CA certificate (or certificate bundle) needed to validate the digital signature of the OCSP response
So for example:
openssl ocsp -issuer cacert.crt -cert user.crt -CAfile cacert.crt -url http://http://ocsp.viettel-ca.vn/Pleas post your results.
- Kevin_Stewart
So you're basically getting the same error from the command line, which would indicate an issue with either the request or the OCSP services. Are you certain that http://ocsp.viettel-ca.vn is the correct OCSP responder URL? A simple cURL to that URL intermittently responds with a 200 or 404, so I'm guessing this is not the correct URL or there's something wrong with the service.
- Kevin_Stewart
On there website, the link is http://ocsp.viettel-ca.vn too
Understood, but this is either not the correct URL or there's something wrong with the service. Is there any other documentation on the OCSP service?
Danielziany solution for this issue?
i also have this error
Hey Danielzi - apologies, missed your reply all this time. If you are still having the issue, can you please share some details for Kevin_Stewart to look at?
- Danielzi
Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"
i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.
the CRLDP works great only the OCSP with this issue
