Failed to initialize OCSP Auth Module

How do you have your OCSP AAA configured? At a minimum you need:

1. URL: OCSP is generally exposed as an HTTP URL (ex. http://ocsp.example.com:80), so this is where you'd enter that URL.

2. Certificate Authority File (or path): An OCSP request requires the serial number of the cert and the identity of the cert's issuer so that the OCSP service knows which CRL to check. Depending on the depth of your CA infrastructure this could be a single CA or a multi-level structure of multiple CAs and subordinate CAs, so this field will either need a single CA file or a bundle of CAs in a text file. The OCSP agent uses the Authority Key Identifier in the client cert to find the correct CA in the bundle. This file can also be used to validate the signature of the returning signed response if the OCSP responder's certificate is issued by one of these CAs.

The following options are also helpful but not always required:

1. VA File: If the OCSP responder's certificate is not issued by one of the CA certificates in your bundle, then you'll need a separate certificate here to validate the signature of the returned response.

2. Ignore AIA: By default, if the client cert has an Authority Info Access value, generally a pointer to a remote OCSP, it will follow that URL if the BIG-IP can resolve and contact this service. If you want it to ignore the AIA and use the URL that you've specified, check this box.

3. Verify: If for whatever reason your OCSP agent cannot validate the response, an unusual requirement or some signature mismatch, you can uncheck the Verify option and allow the agent to just read the response without trying to validate it.

The other settings are important, but you'll probably not have to adjust them from their default values. As an additional troubleshooting step, you can copy the client's cert to the BIG-IP management shell and perform an OCSP query from the command line to see if there's any type of connectivity or other issues:

openssl ocsp -issuer [issuer cert] -cert [client cert] -url [OCSP URL] -CAfile [CA cert]

** You can optionally add -VAfile if you need to use a VA certificate.

I created an OCSP responder with URL of http://ocsp.example.com and assigned the certificate authority file. All other values were left at their defaults. In the VPE I created the "ocsp auth" agent directly after "on-demand-cert Auth" and assigned the previously created ocsp responder.

I always get this message in apm log: "failed to initialize ocsp auth module".

in the tcpdump there is no ocsp request going to microsoft ca from apm. tcpdump -ni 0.0 -s0 host ocsp.example.com and port 80

So why is apm not sending out an ocsp request ?

I did a test with openssl, but seems that microsoft ca does not allow post requests:

openssl ocsp -issuer MY-ROOT-CA.pem -cert bob.pem -url http://ocsp.example.com -CAfile MY-ROOT-CA.pem Error querying OCSP responsder 9886:error:27075072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:224:Code=405,Reason=Method Not Allowed

Any clues ?

THX

I did a test with openssl, but seems that microsoft ca does not allow post requests

1. The Microsoft OCSP service does support POST requests, so there may be a configuration issue here. Also, by default the Microsoft OCSP responder URL has the format: http://hostname/ocsp. Are you using this URL?

    

2. In the event that your responder did not support POST requests, the APM OCSP client performs POST requests, so that could be an issue. But because you're not seeing the APM OCSP client communicate at all, I'd suspect something else.

    

3. If you're using a host name in the config and in your OpenSSL command, can the LTM resolve this name to the correct IP?

    

4. Last, what's in your MY-ROOT-CA.pem file? It needs, at a minimum, the direct issuer of the client's cert.

    

I tried several variants in the URL of ocsp responder configuration, but all of them don't trigger apm to make a request to ocsp responder. apm is able to resolve the hostname to the correct ip address.

http://1.2.3.4

http://1.2.3.4:80

http://1.2.3.4/ocsp

http://ocsp.example.com

http://ocsp.example.com:80

http://ocsp.example.com/ocsp

Yes, MY-ROOT-CA.pem is the direct issuer of the client certificate. I also compared the hash of MY-ROOT-CA.pem and and issuer_hash in the client certificate and they are identical. Is there a special license for ocsp necessary ?

THX

I was able to test from F5 with openssl to ocsp responder by enabling the "nonce extension" on microsoft ca. But how can I force F5 APM to do the query to ocsp responder ? there is still no communication in the tcpdump.

Okay, I was able to put this together in my lab and came across some interesting findings.

1. The Microsoft OCSP defaults to http://[ServerDNSName]/ocsp - there's probably a way to change that, but it isn't the most intuitive thing in the world, so I'd imagine that "/ocsp" would be the defacto URI for most MS OCSP deployments.

2. Despite setting the "Enable NONCE extension support" option in the revocation configuration settings, the OpenSSL ocsp call wasn't working unless I specifically disabled nonce using the "-no_nonce" option. This equates to unchecking the Nonce option in the APM OCSP AAA configuration. I also checked "Ignore AIA" here. It's not expressly required, but since you're trying to validate all certificates to a local responder, the last thing you need is a certificate with an incorrect AIA.

3. The only other option that was of any value in the OCSP AAA was the Certificate Authority File, which in my case was the single CA and issuer of local user certs. This could be a bundle if in a multi-level CA structure.

4. Here is the command line I used to test MS OCSP (modify as required):

   openssl ocsp -issuer ocsptest-ca-mydomain-com.cer -cert ocsptest-bob-2.cer -url http://10.80.0.200/ocsp -CAfile ocsptest-ca-mydomain-com.cer -no_nonce
   

   If you cannot get this command line to work, I'd suggest that the fault probably lies in the OCSP configuration. I relied heavily on the following article series to make sure my MS OCSP was configured correctly:

   • Implementing an OCSP responder: Part I Introducing OCSP
   • Implementing an OCSP responder: Part II Preparing Certificate Authorities
   • Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs
   • Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs
   • Implementing an OCSP Responder: Part V High Availability
   • Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy

My OCSP query with openssl is also successfull, but I always have this warning message "failed to initialize OCSP Auth Module" and there is no query from apm to ocsp responder when bigip-edge client connects. Does this work in your environment ? Do you see a ocsp request from apm to CA, not with openssl test utitility ?

My OCSP AAA and VPE is identical to yours. Same issue with IE browser.

I use 11.4.1 Build 608.0 as VE. Tried a reboot but nothing changes. After reboot I saw the Agent Type not licensed message. Maybe this is the issue.

Dec 17 15:29:46 bigip notice apd[5825]: 0149013f:5: APD started. Dec 17 15:29:46 bigip warning apd[5825]: 0149013b:4: Agent type (27): is not licensed.

That could certainly be a problem, though if it wasn't licensed you shouldn't have been able to provision it in the first place. What does your license and software provisioning screens report? If re-applying the license doesn't help, you may need to contact support. Do other APM AAA functions work (AD/LDAP query, etc.)?

I recently ran into this very same issue. Do you by chance have your "OCSP Responder" in a partition other than "Common"? Once I re-created mine in the common partition, it started working as expected.