Forum Discussion

Phong_Tang_7213's avatar
Phong_Tang_7213
Icon for Altostratus rankAltostratus
Jun 06, 2016
Solved

APM SSO OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'

Hi Gurus

I am trying to configure SSO and OCSP Auth. But it fail:

 


2016-06-06 17:34:14
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: New session from client IP 172.16.69.132 (ST=/CC=/C=) at VIP 172.16.69.224 Listener /Common/VS_WEB_CERT_OCSP (Reputation=Unknown)
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Following rule 'fallback' from item 'OCSP Auth' to ending 'Deny'
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Access policy result: Logon_Deny
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win7 CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Session deleted (policy_result).

 

Why does it failed to connect to OCSP?

 

Thanks

Phong

  • Danielzi's avatar
    Danielzi
    Jan 29, 2023

    Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"

    i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.

    the CRLDP works great only the OCSP with this issue

8 Replies

  • Are you certain that

    ocsp.viettel-ca.vn/    
    

    is the correct URL? OCSP is bound in an HTTP request, so the URL should probably be

    http://ocsp.viettel-ca.vn/    
    
  • Okay, with "Ignore AIA" unchecked the OCSP URL is going to come from the client certificate AIA field, and it does appear to be doing that. The next thing I'd do is test it manually. From the command line enter the following:

    openssl ocsp -issuer [issuer cert] -cert [test cert] -CAfile [CA cert] -url http://ocsp.viettel-ca.vn/
    

    where:

    issuer cert = the CA certificate file of the issuer of the test cert

    test cert = the certificate you're testing

    CA cert = the CA certificate (or certificate bundle) needed to validate the digital signature of the OCSP response

    So for example:

    openssl ocsp -issuer cacert.crt -cert user.crt -CAfile cacert.crt -url http://http://ocsp.viettel-ca.vn/ 
    

    Pleas post your results.

  • So you're basically getting the same error from the command line, which would indicate an issue with either the request or the OCSP services. Are you certain that http://ocsp.viettel-ca.vn is the correct OCSP responder URL? A simple cURL to that URL intermittently responds with a 200 or 404, so I'm guessing this is not the correct URL or there's something wrong with the service.

     

  • On there website, the link is http://ocsp.viettel-ca.vn too

     

    Understood, but this is either not the correct URL or there's something wrong with the service. Is there any other documentation on the OCSP service?

     

      • Danielzi's avatar
        Danielzi
        Icon for Altostratus rankAltostratus

        Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"

        i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.

        the CRLDP works great only the OCSP with this issue