There are 2 revocation checking policies configured in Gateway:

• CRL from certificate URL 
• OCSP (Default) from certificate URL 

The certificates that do not contain an OCSP URI are configured to use the CRL checking policy. For the certificate which is signed by "Sectigo RSA Organization Validation Secure Server CA" the following warning is logged each time:

2021-11-03T08:19:58,054+0100 WARNING 1083 com.l7tech.server.transport.http.SslClientTrustManager: Error during OCSP check for responder 'http://ocsp.sectigo.com': OCSP nonce was required but not present in the response message

Changing the default setting to "CRL from certificate URL" eliminates this error from logging. Currently, the default is set as "OCSP from certificate URL".

API Gateway 10.X

To reproduce this error, connect to a backend that uses a cert issued by Sectigo. The issuer should be 'CN=Sectigo RSA Organization Validation Secure Server.

The OCSP URL for the leaf certificate is indeed 'http://ocsp.sectigo.com which is mentioned in the error and if you do an OCSP check and require a nonce, it is responding but without the nonce in the reply. 

2021-12-30T13:42:40.156+0100 WARNING 806 com.l7tech.server.transport.http.SslClientTrustManager: Error during OCSP check for responder 'http://ocsp.sectigo.com': OCSP nonce was required but not present in the response message

The gateway takes the OCSP URL from the leaf certificate but is using the revoke policy from the intermediate certificate when this is the anchor certificate.

If your default OCSP policy requires a nonce, it will fail on this revocation check.

If you set the intermediate certificate (in this case "Sectigo RSA Organization Validation Secure Server") to be the trust anchor and set the default policy to be CLR, it works.

The other option is to create another OSCP policy that does not use nonce and assign this policy to this intermediate certificate.