Could not contact the Blue Coat web server to verify the Service Request number
search cancel

Could not contact the Blue Coat web server to verify the Service Request number

book

Article ID: 165613

calendar_today

Updated On:

Products

SG-300 Symantec WebFilter (formerly Blue Coat WebFilter - BCWF) SG-600 Intelligence Services SG-510 SG-810 SG-9000 SG-900 SG-S500 SG-S400 Secure Web Gateway Virtual Appliance SG-S200 ProxySG Software - SGOS SWG VA-100

Issue/Introduction

 Receive error Could not contact the Blue Coat web server to verify the Service Request number

Upon inspecting Eventlog you find the following error(s)

2013-11-05 10:12:26-06:00CST  "OCSP: AuthorityInfoAccess extension URL not found in certificate"  0 300000:96   cf_ocsp_api.cpp:339

2013-11-05 10:12:26-06:00CST  "CFSSL VERIFY ERROR: depth=1 error=self signed certificate in certificate chain: /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) "  0 300000:1   cf_ssl.cpp:1431

2013-11-05 10:12:26-06:00CST  "OCSP responder 'XXXX': Untrusted responder(self signed certificate in certificate chain)"  0 300000:1   cf_ocsp_api.cpp:89

2013-11-05 10:12:26-06:00CST  "Server certificate validation failed: CERT_OCSP_CHECK_FAILED, Name in certificate: upload.bluecoat.com"  0 300000:1   te_transaction.cpp:1264

2013-11-05 10:12:26-06:00CST  "OCSP: AuthorityInfoAccess extension URL not found in certificate"  0 300000:96   cf_ocsp_api.cpp:339

2013-11-05 10:12:26-06:00CST  "CFSSL VERIFY ERROR: depth=1 error=self signed certificate in certificate chain: /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) "  0 300000:1   cf_ssl.cpp:1431

2013-11-05 10:12:26-06:00CST  "OCSP responder 'XXXX': Untrusted responder(self signed certificate in certificate chain)"  0 300000:1   cf_ocsp_api.cpp:89

2013-11-05 10:12:26-06:00CST  "Server certificate validation failed: CERT_OCSP_CHECK_FAILED, Name in certificate: upload.bluecoat.com"  0 300000:1   te_transaction.cpp:1264

Resolution

 This occurs when OCSP is enabled and the Entrust Net 2048 cert is missing, therefore the certificate chain cannot be created

 

We have a few options

- Either set default OCSP to 'NONE' and delete the one currently configured OCSP Responder if you are not actually using this service

- If you do intend on continuing to use the configured OCSP responder, then you can check the box for "Ignore untrusted responder certificate"

 

 

 

Otherwise, if you need to keep the OCSP responder configured as you currently have it and want to be able to upload data to Blue Coat from the unit, you must add the certificate chain to the CA certificates and then add them to the CCL you have configured (in our example XXXX) since that is the list used to validate the responder.

 

Just install this alone in the archive configuration text editor:

 

ssl ;mode

edit ccl XXXX_List ;mode

add Entrust_Net_2048

exit

 

exit