This article describes how can OCSP response verify failure, check_ocsp_resp returns -1 0, be fixed when OCSP verification is enabled.

The error will cause the strict-ocsp-check to fail, which in turn will cause the authentication to fail.

# config vpn certificate setting

#set ocsp-status enable
#set ocsp-option certificate
#set strict-ocsp-check enable

#end

The output below is an excerpt of the following debug:

#diag debug console timestamp enable
#diag debug app fnbamd -1
#diag debug enable

***

[2782] handle_req-Rcvd auth_cert req id=554231458, len=1048
[26] fnbamd_cert_load_certs_from_req-2 cert(s) in req.
[1208] fnbamd_build_cert_chain-2 cert(s) from request.
[189] fnbamd_chain_build-Chain discovery, opt 0x17, cur total 1
[205] fnbamd_chain_build-Following depth 0
[769] subject_issuer_name-S: 'CN = ocsp-test'
[770] subject_issuer_name-I: 'CN = sub.fortiauth.local.root'
[239] fnbamd_chain_build-Extend chain by peer-provided certs. (good: 'CA_Cert_1')
[205] fnbamd_chain_build-Following depth 1
[769] subject_issuer_name-S: 'CN = sub.fortiauth.local.root'
[770] subject_issuer_name-I: 'CN = fortiauth.local'
[232] fnbamd_chain_build-Extend chain by peer-provided certs. (no luck)
[260] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[271] fnbamd_chain_build-Extend chain by remote CA cache. (no luck)
[800] __fnbamd_cert_verify-Following cert chain depth 0
[868] __fnbamd_cert_verify-Trusted CA found: CA_Cert_1
[800] __fnbamd_cert_verify-Following cert chain depth 1
[1741] cert_check_group_list-group list is null
[1885] fnbamd_auth_cert_check_status-res=0
[1855] fnbamd_cert_ocsp_init-Get OCSP setting from cert
[1826] get_cert_ocsp_responder-cert subject is CN = ocsp-test
[1830] get_cert_ocsp_responder-cert issuer subject is CN = sub.fortiauth.local.root
[356] fnbamd_ocsp_start-Created OCSP request
[189] ocsp_connect-Try url 1: host=fortiauth.local port=2560(http) path=/
[514] _fnbamd_ocsp_get_rsp-tcp connected
[545] _fnbamd_ocsp_get_rsp-Sent OCSP request
[1851] auth_cert_ocsp_result-ocsp result is 4, (0: http://fortiauth.local:2560/)
[559] _fnbamd_ocsp_get_rsp-recv returned: 1540
[1851] auth_cert_ocsp_result-ocsp result is 4, (0: http://fortiauth.local:2560/)
[559] _fnbamd_ocsp_get_rsp-recv returned: 0 <<<
[618] _fnbamd_ocsp_get_rsp-Received OCSP response
OCSP response verify failure <<<
[674] _fnbamd_ocsp_get_rsp-check_ocsp_resp returns -1 0 <<<
[1851] auth_cert_ocsp_result-ocsp result is 5, (0: http://fortiauth.local:2560/)
[1693] auth_cert_success-Matched user name '', matched group name ''
[181] fnbamd_comm_send_result-Sending result 1 (error 12, nid 672) for req 554231458 <<<
***

recv returned: 0 - indicated that the certificate is good, it passed the check on the OCSP server.

Packet Capture:

127 2022-07-01 12:43:34.191167 0.000062 2022-07-01 12:43:34.191167 fortiauth.local 64 1352 10.5.23.113 OCSP Response 00:78:65:6e:58:01 1418

responses: 1 item
SingleResponse
certID
certStatus: good (0)
thisUpdate: 2022-07-01 10:43:34 (UTC)
nextUpdate: 2022-07-01 10:48:34 (UTC)

But still, the client/firewall returns an error and auth fails, fnbamd_comm_send_result-Sending result 1.

This indicates that the issue might be on the firewall/ocsp client, and it is very likely to be caused by a mismatching root CA as follows:

1) The root CA cert that issued ocsp-test is missing from the firewall.

Upload that to the firewall.

GUI -> System -> Certificates -> Create/Import CA cert -> File -> Upload (select the cert) - > OK

2) The root CA cert might exist on the firewall, CN matching, but is simply a different cert from ocsp-test's issuer.

Get hold of the correct root CA cert and upload it to the firewall.

Compare the root CA certs by looking at the SN.

3) If there are multiple CA authorities in the organization, then the client might be using a cert issued by another authority, different from what is expected on the OCSP server and OCSP client.

Make sure the correct client cert is used.