Receive error Could not contact the Blue Coat web server to verify the Service Request number
Upon inspecting Eventlog you find the following error(s)
2013-11-05 10:12:26-06:00CST "OCSP: AuthorityInfoAccess extension URL not found in certificate" 0 300000:96 cf_ocsp_api.cpp:339
2013-11-05 10:12:26-06:00CST "CFSSL VERIFY ERROR: depth=1 error=self signed certificate in certificate chain: /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) " 0 300000:1 cf_ssl.cpp:1431
2013-11-05 10:12:26-06:00CST "OCSP responder 'XXXX': Untrusted responder(self signed certificate in certificate chain)" 0 300000:1 cf_ocsp_api.cpp:89
2013-11-05 10:12:26-06:00CST "Server certificate validation failed: CERT_OCSP_CHECK_FAILED, Name in certificate: upload.bluecoat.com" 0 300000:1 te_transaction.cpp:1264
2013-11-05 10:12:26-06:00CST "OCSP: AuthorityInfoAccess extension URL not found in certificate" 0 300000:96 cf_ocsp_api.cpp:339
2013-11-05 10:12:26-06:00CST "CFSSL VERIFY ERROR: depth=1 error=self signed certificate in certificate chain: /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) " 0 300000:1 cf_ssl.cpp:1431
2013-11-05 10:12:26-06:00CST "OCSP responder 'XXXX': Untrusted responder(self signed certificate in certificate chain)" 0 300000:1 cf_ocsp_api.cpp:89
2013-11-05 10:12:26-06:00CST "Server certificate validation failed: CERT_OCSP_CHECK_FAILED, Name in certificate: upload.bluecoat.com" 0 300000:1 te_transaction.cpp:1264
This occurs when OCSP is enabled and the Entrust Net 2048 cert is missing, therefore the certificate chain cannot be created
We have a few options
- Either set default OCSP to 'NONE' and delete the one currently configured OCSP Responder if you are not actually using this service
- If you do intend on continuing to use the configured OCSP responder, then you can check the box for "Ignore untrusted responder certificate"
Otherwise, if you need to keep the OCSP responder configured as you currently have it and want to be able to upload data to Blue Coat from the unit, you must add the certificate chain to the CA certificates and then add them to the CCL you have configured (in our example XXXX) since that is the list used to validate the responder.
Just install this alone in the archive configuration text editor:
ssl ;mode
edit ccl XXXX_List ;mode
add Entrust_Net_2048
exit
exit