ProxySG OCSP checking fails with the error message "invalid-response"
search cancel

ProxySG OCSP checking fails with the error message "invalid-response"

book

Article ID: 173046

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Users are unable to access some secure https web sites and receive an invalid-response error message in relation to OCSP (Online Certificate Status Protocol) checking.

The OCSP service maintains a list of revoked certificates. It is an alternative to using a Certificate Revocation List.

Error : OCSP check for server certificate failed due to error: "invalid-response"
An error occurred while checking revocation status of the certificate. Contact the administrator for further assistance.

Environment

Symantec ProxySG using OCSP.

Cause

The Certification Authority's OCSP server is failing to respond. In the example below, Qualys SSL Labs shows that the OCSP service at http://ocsp.comodoca.com is failing:

OCSP Error Message

Resolution

Check for any OCSP service issues with the relevant Certification Authority.

If the Certification Authority is experiencing degradation to their OCSP service, the only workaround is to delete the OCSP configuration in ProxySG.

Depending on the number of sites affected, you may be able to create a policy to workaround the issue but this would be very difficult to manage.