06-Jun-2016
03:58
- last edited on
07-Feb-2023
09:48
by
LiefZimmerman
Hi Gurus
I am trying to configure SSO and OCSP Auth. But it fail:
2016-06-06 17:34:14
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: New session from client IP 172.16.69.132 (ST=/CC=/C=) at VIP 172.16.69.224 Listener /Common/VS_WEB_CERT_OCSP (Reputation=Unknown)
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Following rule 'fallback' from item 'OCSP Auth' to ending 'Deny'
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Access policy result: Logon_Deny
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win7 CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1
2016-06-06 17:34:28
/Common/PL_WEB_CERT_OCSP:Common:aafdaab1: Session deleted (policy_result).
Why does it failed to connect to OCSP?
Thanks
Phong
Solved! Go to Solution.
28-Jan-2023 21:41
Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"
i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.
the CRLDP works great only the OCSP with this issue
06-Jun-2016 05:01
Are you certain that
ocsp.viettel-ca.vn/
is the correct URL? OCSP is bound in an HTTP request, so the URL should probably be
http://ocsp.viettel-ca.vn/
06-Jun-2016 08:53
Okay, with "Ignore AIA" unchecked the OCSP URL is going to come from the client certificate AIA field, and it does appear to be doing that. The next thing I'd do is test it manually. From the command line enter the following:
openssl ocsp -issuer [issuer cert] -cert [test cert] -CAfile [CA cert] -url http://ocsp.viettel-ca.vn/
where:
issuer cert = the CA certificate file of the issuer of the test cert
test cert = the certificate you're testing
CA cert = the CA certificate (or certificate bundle) needed to validate the digital signature of the OCSP response
So for example:
openssl ocsp -issuer cacert.crt -cert user.crt -CAfile cacert.crt -url http://http://ocsp.viettel-ca.vn/
Pleas post your results.
07-Jun-2016 09:30
So you're basically getting the same error from the command line, which would indicate an issue with either the request or the OCSP services. Are you certain that http://ocsp.viettel-ca.vn is the correct OCSP responder URL? A simple cURL to that URL intermittently responds with a 200 or 404, so I'm guessing this is not the correct URL or there's something wrong with the service.
07-Jun-2016 21:14
On there website, the link is http://ocsp.viettel-ca.vn too
Understood, but this is either not the correct URL or there's something wrong with the service. Is there any other documentation on the OCSP service?
06-Dec-2022 03:32
any solution for this issue?
i also have this error
27-Jan-2023 09:14
Hey @Danielzi - apologies, missed your reply all this time. If you are still having the issue, can you please share some details for @Kevin_Stewart to look at?
28-Jan-2023 21:41
Hi yes i got workaound from the support "https://support.f5.com/csp/article/K12552109"
i am still waiting for RFE or some EHF becuse i need to create dummy VIP for each issuer and its not should work like this.
the CRLDP works great only the OCSP with this issue
07-Feb-2023 09:46
@Danielzi - I'll mark your workaround as the solution for now...so at least folks might find that too. If the RFE comes through with a more complete solution we can update this accordingly?