Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

APM SSO OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'

Phong_Tang_7213
Altostratus
Altostratus

Hi Gurus

I am trying to configure SSO and OCSP Auth. But it fail:

 


2016-06-06 17:34:14
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: New session from client IP 172.16.69.132 (ST=/CC=/C=) at VIP 172.16.69.224 Listener /Common/VS_WEB_CERT_OCSP (Reputation=Unknown)
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Following rule 'fallback' from item 'OCSP Auth' to ending 'Deny'
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Access policy result: Logon_Deny
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win7 CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Session deleted (policy_result).

 

Why does it failed to connect to OCSP?

 

Thanks

Phong

1 ACCEPTED SOLUTION

Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"

i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.

the CRLDP works great only the OCSP with this issue

View solution in original post

8 REPLIES 8

Kevin_Stewart
F5 Employee
F5 Employee

Are you certain that

 

ocsp.viettel-ca.vn/

is the correct URL? OCSP is bound in an HTTP request, so the URL should probably be

 

http://ocsp.viettel-ca.vn/

Kevin_Stewart
F5 Employee
F5 Employee

Okay, with "Ignore AIA" unchecked the OCSP URL is going to come from the client certificate AIA field, and it does appear to be doing that. The next thing I'd do is test it manually. From the command line enter the following:

 

openssl ocsp -issuer [issuer cert] -cert [test cert] -CAfile [CA cert] -url http://ocsp.viettel-ca.vn/

where:

 

issuer cert = the CA certificate file of the issuer of the test cert

 

test cert = the certificate you're testing

 

CA cert = the CA certificate (or certificate bundle) needed to validate the digital signature of the OCSP response

 

So for example:

 

openssl ocsp -issuer cacert.crt -cert user.crt -CAfile cacert.crt -url http://http://ocsp.viettel-ca.vn/

Pleas post your results.

 

Kevin_Stewart
F5 Employee
F5 Employee

So you're basically getting the same error from the command line, which would indicate an issue with either the request or the OCSP services. Are you certain that http://ocsp.viettel-ca.vn is the correct OCSP responder URL? A simple cURL to that URL intermittently responds with a 200 or 404, so I'm guessing this is not the correct URL or there's something wrong with the service.

 

Kevin_Stewart
F5 Employee
F5 Employee

On there website, the link is http://ocsp.viettel-ca.vn too

 

Understood, but this is either not the correct URL or there's something wrong with the service. Is there any other documentation on the OCSP service?

 

Danielzi
Nimbostratus
Nimbostratus

any solution for this issue?

i also have this error

Hey @Danielzi - apologies, missed your reply all this time. If you are still having the issue, can you please share some details for @Kevin_Stewart to look at?

Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"

i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.

the CRLDP works great only the OCSP with this issue

@Danielzi - I'll mark your workaround as the solution for now...so at least folks might find that too. If the RFE comes through with a more complete solution we can update this accordingly?