Asking Help about the OCSP Configuration

[darapenhchet]

Dear @petkivim ,

On Saturday it works well and right now I have an error with Security server has no valid authentication certificate. Do you have any tips to make it more stable?

Best Regards,
Dara Penhchet

[petkivim]

Hi @darapenhchet

Have you checked that the OCSP responder and Security Server host system clocks are in sync? If the clocks are not in sync it could cause the system to behave so that the authentication certificate is not valid all the time, because the OCSP response is not valid.

An OCSP response is considered invalid if:

1. it is older than the time period defined by the ocspFreshnessSeconds (by default 60 minutes) - if the OCSP response was issued over 60 minutes ago ( thisUpdate was over 60 minutes ago), it is considered invalid by the Security Server. It is possible to increase the ocspFreshnessSeconds value. Instructions.
2. the nextUpdate value in the OCSP response is in the past. It is possible to disable the verification of the nextUpdate value on the Security Server. Instructions.

You should check your OCSP reponder's configuration - how often new OCSP responses are published and for how long they're valid, and update the X-Road configuration accordingly. In case your OCSP responder is CRL based, the values depend on the CRL update interval.

Best regards,
Petteri

[darapenhchet]

Dear @petkivim ,
Thank you so much for your help. It works now and I will check the OCSP Responder's configuration.

Best Regards,
Dara Penhchet

[darapenhchet]

Dear @petkivim ,
I have checked the log already. it check the OCSP with every 20 minutes and after that it said the OCSP Response is too old. Do you have any ideas about this problem?

Best Regards,
Dara Penhchet

[petkivim]

Hi @darapenhchet

The problem is that the OCSP response returned by the OCSP responder is considered too old by the Security Server. As explained above, the OCSP response cannot be more than 60 minutes old. thisUpdate field of the OCSP response contains the date/time when the response was issued. Based on the log the OCSP response was issued at Wed Sep 18 03:29:19 ICT 2019. When the OCSP check runs at 2019-09-18 04:45:44:143 the difference between the execution date/time and thisUpdate field value is over 60 minutes.

The problem can be fixed increasing the value of ocspFreshnessSeconds setting on the Central Server (instructions). However, to be able the set the value right, you must first check 1) how often new OCSP responses are issued and 2) for how long an OCSP response is valid. Then you must adjust the ocspFreshnessSeconds value accordingly.

Best regards,
Petteri

[darapenhchet]

Dear @petkivim ,

Right now it works. Do you know when OCSP-response refresh cycle started?

Best Regards,
Dara Penhchet

[petkivim]

Hi @darapenhchet

The very first line of the signer log shows that fetching OCSP responses failed for some reason. When fetching OCSP responses fails, the Security Server starts a recovery algorithm - it tries to fetch OCSP responses once in a minute until the operation succeeds and returns back to the normal schedule after that (which is every 20 minutes by default). However, the root cause of your problem and how to fix it is explained in my previous comment.

Best regards,
Petteri

[darapenhchet]

Dear @petkivim

Thank you so much. I will try to check it.

Best Regards,