ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

ProxySG OCSP checking fails with the error message "invalid-response"

book

Article ID: 173046

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Users are unable to access some secure https web sites and receive an invalid-response error message in relation to OCSP (Online Certificate Status Protocol) checking.

The OCSP service maintains a list of revoked certificates. It is an alternative to using a Certificate Revocation List.

Error : OCSP check for server certificate failed due to error: "invalid-response"
An error occurred while checking revocation status of the certificate. Contact the administrator for further assistance.

Cause

The Certification Authority's OCSP server is failing to respond. In the example below, Qualys SSL Labs shows that the OCSP service at http://ocsp.comodoca.com is failing:

OCSP Error Message

Environment

Symantec ProxySG using OCSP.

Resolution

Check for any OCSP service issues with the relevant Certification Authority.

If the Certification Authority is experiencing degradation to their OCSP service, the only workaround is to delete the OCSP configuration in ProxySG.

Depending on the number of sites affected, you may be able to create a policy to workaround the issue but this would be very difficult to manage.

Attachments