Forum Discussion

Phong_Tang_7213's avatar
Phong_Tang_7213
Icon for Altostratus rankAltostratus
Jun 06, 2016

APM SSO OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'

Hi Gurus I am trying to configure SSO and OCSP Auth. But it fail:   2016-06-06 17:34:14 /Common/PL_WEB_CERT_OCSP:Common:aafdaab1: New session from client IP 172.16.69.132 (ST=/CC=/C=) at VI...
application delivery
BIG-IP Access Policy Manager (APM)
  • Danielzi's avatar
    Danielzi
    Jan 29, 2023

    Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"

    i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.

    the CRLDP works great only the OCSP with this issue

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jun 06, 2016

Okay, with "Ignore AIA" unchecked the OCSP URL is going to come from the client certificate AIA field, and it does appear to be doing that. The next thing I'd do is test it manually. From the command line enter the following:

openssl ocsp -issuer [issuer cert] -cert [test cert] -CAfile [CA cert] -url http://ocsp.viettel-ca.vn/

where:

issuer cert = the CA certificate file of the issuer of the test cert

test cert = the certificate you're testing

CA cert = the CA certificate (or certificate bundle) needed to validate the digital signature of the OCSP response

So for example:

openssl ocsp -issuer cacert.crt -cert user.crt -CAfile cacert.crt -url http://http://ocsp.viettel-ca.vn/

Pleas post your results.