search cancel

Dynamic Real-time Rating Health Check fails after upgrade to 6.7.4.x

book

Article ID: 174276

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Fix failures in Dynamic Real-Time Rating (DRTR) Health Checks.

Resolution

Due to updates to how the OCSP code works in the 6.7.4.x branch you will run into an issue if OCSP is enabled.  The following can be observed:

Domain name: webpulse.es.bluecoat.com DNS status: success
Enabled Check failed DOWN
IP address: 8.28.16.202 Enabled Check failed DOWN
Last status: A communication error has occurred.
Successes (total): 0 (last): Never (consecutive): 0
Failures (total): 5 (last): Tue, 08 Jan 2019 06:28:16 GMT (consecutive): 5 (external): 0
Last response time: 318 ms Average response time: 322 ms
Minimum response time: 316 ms Maximum response time: 334 ms
IP address: 185.2.196.215 Enabled Check failed DOWN
Last status: A communication error has occurred.
Successes (total): 0 (last): Never (consecutive): 0
Failures (total): 5 (last): Tue, 08 Jan 2019 06:28:15 GMT (consecutive): 5 (external): 0
Last response time: 106 ms Average response time: 109 ms
Minimum response time: 105 ms Maximum response time: 119 ms
IP address: 197.96.129.185 Enabled Check failed DOWN
Last status: A communication error has occurred.
Successes (total): 0 (last): Never (consecutive): 0
Failures (total): 5 (last): Tue, 08 Jan 2019 06:28:17 GMT (consecutive): 5
(external): 0
Last response time: 588 ms Average response time: 590 ms
Minimum response time: 586 ms Maximum response time: 598 ms
IP address: 46.235.158.215 Enabled Check failed DOWN
Last status: A communication error has occurred.
Successes (total): 0 (last): Never (consecutive): 0
Failures (total): 5 (last): Tue, 08 Jan 2019 06:28:15 GMT (consecutive): 5
(external): 0
Last response time: 82 ms Average response time: 139 ms
Minimum response time: 64 ms Maximum response time: 391 ms
IP address: 180.179.142.115 Enabled Check failed DOWN
Last status: A communication error has occurred.
Successes (total): 0 (last): Never (consecutive): 0
Failures (total): 5 (last): Tue, 08 Jan 2019 06:28:16 GMT (consecutive): 5
(external): 0
Last response time: 416 ms Average response time: 415 ms
Minimum response time: 394 ms Maximum response time: 423 ms

Upon examining the Event Log the following are observed which give a hint as to what is happening:

2019-01-23 14:26:51+01:00CET  "OCSP responder 'Your-Responder': Untrusted responder(self signed certificate in certificate chain)"  0 300000:1  cf_ocsp_api.cpp:89
2019-01-23 14:26:51+01:00CET  "OCSP responder 'Your-Responder': Untrusted responder(self signed certificate in certificate chain)"  0 300000:1  cf_ocsp_api.cpp:89
2019-01-23 14:26:53+01:00CET  "OCSP responder 'Your-Responder': Untrusted responder(self signed certificate in certificate chain)"  0 300000:1  cf_ocsp_api.cpp:89
2019-01-23 14:26:53+01:00CET  "OCSP responder 'Your-Responder': Untrusted responder(self signed certificate in certificate chain)"  0 300000:1  cf_ocsp_api.cpp:89
2019-01-23 14:26:53+01:00CET  "OCSP responder 'Your-Responder': Untrusted responder(self signed certificate in certificate chain)"  0 300000:1  cf_ocsp_api.cpp:89
2019-01-23 14:26:55+01:00CET  "OCSP responder 'Your-Responder': Untrusted responder(self signed certificate in certificate chain)"  0 300000:1  cf_ocsp_api.cpp:89
2019-01-23 14:26:55+01:00CET  "OCSP responder 'Your-Responder': Untrusted responder(self signed certificate in certificate chain)"  0 300000:1  cf_ocsp_api.cpp:89

This error means that OCSP is failing a certificate that is received on the proxy from upstream.  When you examine the certificate used during a DRTR health Check you see somthing like this:

As you can see here, the Digicert Global Root G2 was issued by Blue Coat Systems Engineering Private Root CA, which means that certificate chain is the one signed by the self-signed untrusted certificate.  It has always been this way but has not caused issues until OCSP was updated on the 6.7.4.x branch.

 

Add the BC_Engineering_CA to Configuration > SSL > CA Certificates > CA Certificates Lists > browser-trusted menu on the ProxySG.

Attachments