Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

APM SSO OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'

Go to solution
Phong_Tang_7213
Altostratus
Altostratus

‎06-Jun-2016 03:58 - last edited on ‎07-Feb-2023 09:48 by Community Manager

Hi Gurus

I am trying to configure SSO and OCSP Auth. But it fail:

 


2016-06-06 17:34:14
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: New session from client IP 172.16.69.132 (ST=/CC=/C=) at VIP 172.16.69.224 Listener /Common/VS_WEB_CERT_OCSP (Reputation=Unknown)
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Following rule 'fallback' from item 'OCSP Auth' to ending 'Deny'
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Access policy result: Logon_Deny
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win7 CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Session deleted (policy_result).

 

Why does it failed to connect to OCSP?

 

Thanks

Phong

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Danielzi
Nimbostratus
Nimbostratus
In response to Leslie_Hubertus

‎28-Jan-2023 21:41

Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"

i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.

the CRLDP works great only the OCSP with this issue

View solution in original post

8 REPLIES 8

Go to solution
Kevin_Stewart
F5 Employee
F5 Employee

‎06-Jun-2016 05:01

Are you certain that

 

ocsp.viettel-ca.vn/

is the correct URL? OCSP is bound in an HTTP request, so the URL should probably be

 

http://ocsp.viettel-ca.vn/
0 Kudos

Go to solution
Kevin_Stewart
F5 Employee
F5 Employee

‎06-Jun-2016 08:53

Okay, with "Ignore AIA" unchecked the OCSP URL is going to come from the client certificate AIA field, and it does appear to be doing that. The next thing I'd do is test it manually. From the command line enter the following:

 

openssl ocsp -issuer [issuer cert] -cert [test cert] -CAfile [CA cert] -url http://ocsp.viettel-ca.vn/

where:

 

issuer cert = the CA certificate file of the issuer of the test cert

 

test cert = the certificate you're testing

 

CA cert = the CA certificate (or certificate bundle) needed to validate the digital signature of the OCSP response

 

So for example:

 

openssl ocsp -issuer cacert.crt -cert user.crt -CAfile cacert.crt -url http://http://ocsp.viettel-ca.vn/

Pleas post your results.

 

0 Kudos

Go to solution
Kevin_Stewart
F5 Employee
F5 Employee

‎07-Jun-2016 09:30

So you're basically getting the same error from the command line, which would indicate an issue with either the request or the OCSP services. Are you certain that http://ocsp.viettel-ca.vn is the correct OCSP responder URL? A simple cURL to that URL intermittently responds with a 200 or 404, so I'm guessing this is not the correct URL or there's something wrong with the service.

 

0 Kudos

Go to solution
Kevin_Stewart
F5 Employee
F5 Employee

‎07-Jun-2016 21:14

On there website, the link is http://ocsp.viettel-ca.vn too

 

Understood, but this is either not the correct URL or there's something wrong with the service. Is there any other documentation on the OCSP service?

 

0 Kudos

Go to solution
Danielzi
Nimbostratus
Nimbostratus

‎06-Dec-2022 03:32

any solution for this issue?

i also have this error

0 Kudos

Go to solution
Leslie_Hubertus
Community Manager
Community Manager
In response to Danielzi

‎27-Jan-2023 09:14

Hey @Danielzi - apologies, missed your reply all this time. If you are still having the issue, can you please share some details for @Kevin_Stewart to look at?

0 Kudos

Go to solution
Danielzi
Nimbostratus
Nimbostratus
In response to Leslie_Hubertus

‎28-Jan-2023 21:41

Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"

i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.

the CRLDP works great only the OCSP with this issue

Go to solution
LiefZimmerman
Community Manager
Community Manager
In response to Danielzi

‎07-Feb-2023 09:46

@Danielzi - I'll mark your workaround as the solution for now...so at least folks might find that too. If the RFE comes through with a more complete solution we can update this accordingly?

Copyright © 2023 Khoros, LLC