Forum Discussion
DISA OCSP responder sometimes producing errors
Hi, not sure if there are others that have this issue, it seems sporadic.
I’m using BigIP v13.1.1
OCSP will sometimes fail and users will fail to login, and it will fail for a random duration of time which makes me think it may be an issue with DISA's OCSP servers. It doesn't happen daily.
I have a pretty standard APM setup. No HA, nothing weird.
My VPE:
Start -> On Demand Cert (request) -> OCSP (/Common/DISA_OCSP, cert type user) -> etc etc ->
For my OCSP config I have default settings with the Certificate Authority file as the DOD CA bundle and Verify other is the DOD Email CA bundle. Everything is checked besides Ignore AIA and Trust Other.
The error in /var/log/apm is:
OCSP Auth agent: Failure status ‘Error querying OCSP responsder *(<-this is a typo in the error)* host (ocsp.disa.mil) path (/)’
Looking at my email cert, it looks like I have two different AIAs. One is a crl.disa.mil url pointing at my CA's DODEMAILCA cer file, the other is ocsp.disa.mil.
Can anyone recommend a more stable way to configure this?
- Kevin_StewartEmployee
It would be possible theoretically to define a response timeout value for OCSP requests, such that it "failed open" if the request couldn't succeed. But honestly, this particular problem has existed for as long as I can remember, and the very best recommendation would probably be to stand up your own local responder that pulls CRLs from DISA. If you have a Microsoft site license, then you already have a free OCSP responder that works as good as the other dedicate OCSP vendors. The beauty here is that you can configure the local responder to extend revocation status beyond the CRL end-date in case CRL stops working too.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com