Troubleshooting
If there is any problem with OCSP stapling, we can use the console to print out the diagnose debug message.
1. Setup the diagnose debug print out level in the console
- Connect your management computer to the FortiADC.
-
Enable the diagnose debug output for crlupdated.
FortiADC-VM # diagnose debug module crlupdated all
FortiADC-VM # diagnose debug enable
- You will see the related OCSP information printed.
2. The following are common error cases
The delegated check failure:
ocsp_download(593): OCSP: Response received
ocsp_download(614): OCSP: OCSP_basic_verify using ca chain
ocsp_download(626): error string is error:2706A067:OCSP routines:ocsp_check_delegated:missing ocspsigning usage
ocsp_download(626): error string is error:00000000:lib(0):func(0):reason(0)
ocsp_download(628): OCSP error: OCSP_basic_verify using ca chain
Solution:
We can turn off the "Issue Criteria Check" to ignore the the delegated certificate check in the OCSP profile.
The OCSP nonce check error:
ocsp_download(593): OCSP: Response received
ocsp_download(602): OCSP error: OCSP_check_nonce
__poll_callback(702): OCSP download failed
Solution:
We can turn off the "Nonce Check" to ignore the the OCSP nonce check failure in the OCSP response.
The Issuers of the OCSP response check failure:
ocsp_download(593): OCSP: Response received
ocsp_download(608): OCSP: OCSP_basic_verify using issuers
ocsp_download(610): OCSP error: OCSP_basic_verify using issuers
Solution:
The certificate you provided is different from the OCSP responder certificate that signed the response, please correct it using the same with the responder certificate or try to use the CA chain to check it.
If you want to try to use CA chain, please refer to Scenario 2 in Deployment in this document.