https://live.paloaltonetworks.com/t5/general-topics/ocsp-service-temporarily-unavailable/m-p/591600#M117810 <P>Hi Kim,</P> <P>&nbsp;</P> <P>I'm in PAN-OS 10.2.8.</P> <P>And when I execute the commande, I cant't find any service :<BR /><BR /></P> <P>rbr@FW(active)&gt; debug sslmgr view ocsp all</P> <P>Current time is: Wed Jul 10 15:08:29 2024</P> <P>Count Serial Number (HEX) Status Next Update Revocation Time Reason<BR />Issuer Name Hash<BR />OCSP Responder URL<BR />------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------</P> <P>&nbsp;</P> Wed, 10 Jul 2024 15:10:17 GMT romain-boyer 2024-07-10T15:10:17Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-service-temporarily-unavailable/m-p/591225#M117736 <P>Hi team,</P> <P>&nbsp;</P> <P>I have configure an OCSP responder on my Panaroma, I do all the step of the documentation <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/certificate-revocation/online-certificate-status-protocol-ocsp" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/certificate-revocation/online-certificate-status-protocol-ocsp</A>.</P> <P>&nbsp;</P> <P>But when I generate an OCSP request, I recieve this :<BR /><BR />openssl ocsp -issuer cert.pem -cert cert.pem -serial 1 -text -host 172.1.1.1:80<BR />OCSP Request Data:<BR />Version: 1 (0x0)<BR />Requestor List:<BR />Certificate ID:<BR />Hash Algorithm: sha1<BR />Issuer Name Hash: A068E48DC817AC72A06E22BC58877094E9A6F222<BR />Issuer Key Hash: 6638F3C25A8DDFAF37AD61D93C1A1D3E17670775<BR />Serial Number: 2F13DAF1870CD4338F18DBFC376BB27B<BR />Certificate ID:<BR />Hash Algorithm: sha1<BR />Issuer Name Hash: 23F288CF41F18D173212CED743079ED5B96A63ED<BR />Issuer Key Hash: 6638F3C25A8DDFAF37AD61D93C1A1D3E17670775<BR />Serial Number: 01<BR />Request Extensions:<BR />OCSP Nonce:<BR />04107CB9F7962D041974790B301E0E5359CD<BR />Error querying OCSP responder<BR />140008674154384:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=503,Reason=Service Temporarily Unavailable<BR /><BR /></P> <P>Someone already have this reponse "Service Temporarily Unavailable" from the Palo Alto ?</P> <P>&nbsp;</P> <P>How to check the Palo Alto service OCSP status ?<BR /><BR /></P> <P>Thanks in advance,</P> <P>Cheers,<BR /><BR />Romain</P> Thu, 04 Jul 2024 13:36:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-service-temporarily-unavailable/m-p/591225#M117736 romain-boyer 2024-07-04T13:36:32Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-service-temporarily-unavailable/m-p/591582#M117807 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/828714853">@romain-boyer</a> ,</P> <P>&nbsp;</P> <P>Are you running PAN-OS 9.1.x ?</P> <P>&nbsp;</P> <P>In that case you might be running into bug <SPAN>PAN-200100 where there was a problem for local oscp responder when format was different than just IP address. The logic tries to resolve object name as an ip address. As a workaround, using the actual ip address can be used as name of the address object.<BR /><BR /></SPAN></P> <P><SPAN>To check status: you can use "debug sslmgr view ocsp all" command</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">admin@FWLAB&gt; debug sslmgr view ocsp all Current time is: Wed Jul 10 01:38:14 2024 Count Serial Number (HEX) Status Next Update Revocation Time Reason Issuer Name Hash OCSP Responder URL ------- ---------------------------------------- ----------- ------------------------ ------------------------ ---------- [ 1] XXXXXXXXXX unavailable Jul 10 02:30:32 2024 GMT error querying OCSP responder ZZZZZZZZ http://x.x.x.x/CA/ocsp</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Check <SPAN>sslmgmr log for more details.<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope this helps,</SPAN></P> <P><SPAN>Kim.</SPAN></P> <P>&nbsp;</P> Wed, 10 Jul 2024 10:34:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-service-temporarily-unavailable/m-p/591582#M117807 kiwi 2024-07-10T10:34:22Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-service-temporarily-unavailable/m-p/591600#M117810 <P>Hi Kim,</P> <P>&nbsp;</P> <P>I'm in PAN-OS 10.2.8.</P> <P>And when I execute the commande, I cant't find any service :<BR /><BR /></P> <P>rbr@FW(active)&gt; debug sslmgr view ocsp all</P> <P>Current time is: Wed Jul 10 15:08:29 2024</P> <P>Count Serial Number (HEX) Status Next Update Revocation Time Reason<BR />Issuer Name Hash<BR />OCSP Responder URL<BR />------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------</P> <P>&nbsp;</P> Wed, 10 Jul 2024 15:10:17 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-service-temporarily-unavailable/m-p/591600#M117810 romain-boyer 2024-07-10T15:10:17Z