07-04-2024 06:36 AM
Hi team,
I have configure an OCSP responder on my Panaroma, I do all the step of the documentation https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/certificate-revocat....
But when I generate an OCSP request, I recieve this :
openssl ocsp -issuer cert.pem -cert cert.pem -serial 1 -text -host 172.1.1.1:80
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A068E48DC817AC72A06E22BC58877094E9A6F222
Issuer Key Hash: 6638F3C25A8DDFAF37AD61D93C1A1D3E17670775
Serial Number: 2F13DAF1870CD4338F18DBFC376BB27B
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 23F288CF41F18D173212CED743079ED5B96A63ED
Issuer Key Hash: 6638F3C25A8DDFAF37AD61D93C1A1D3E17670775
Serial Number: 01
Request Extensions:
OCSP Nonce:
04107CB9F7962D041974790B301E0E5359CD
Error querying OCSP responder
140008674154384:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=503,Reason=Service Temporarily Unavailable
Someone already have this reponse "Service Temporarily Unavailable" from the Palo Alto ?
How to check the Palo Alto service OCSP status ?
Thanks in advance,
Cheers,
Romain
07-10-2024 03:34 AM
Hi @romain-boyer ,
Are you running PAN-OS 9.1.x ?
In that case you might be running into bug PAN-200100 where there was a problem for local oscp responder when format was different than just IP address. The logic tries to resolve object name as an ip address. As a workaround, using the actual ip address can be used as name of the address object.
To check status: you can use "debug sslmgr view ocsp all" command
admin@FWLAB> debug sslmgr view ocsp all
Current time is: Wed Jul 10 01:38:14 2024
Count Serial Number (HEX) Status Next Update Revocation Time Reason
Issuer Name Hash
OCSP Responder URL
------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------
[ 1] XXXXXXXXXX unavailable Jul 10 02:30:32 2024 GMT error querying OCSP responder
ZZZZZZZZ
http://x.x.x.x/CA/ocsp
Check sslmgmr log for more details.
Hope this helps,
Kim.
07-10-2024 08:10 AM
Hi Kim,
I'm in PAN-OS 10.2.8.
And when I execute the commande, I cant't find any service :
rbr@FW(active)> debug sslmgr view ocsp all
Current time is: Wed Jul 10 15:08:29 2024
Count Serial Number (HEX) Status Next Update Revocation Time Reason
Issuer Name Hash
OCSP Responder URL
------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
