Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
tnazarov
Staff
Staff

Created on ‎09-12-2024 04:38 AM Edited on ‎10-23-2024 04:24 AM By Moderator

Article Id 340967

Troubleshooting Tip: FortiWeb OCSP is not reflecting to the public

Description

This article describes how to troubleshoot OCSP issues in FortiWeb.
Scope

FortiWeb 7.0.0 and later.
Solution
  1. Check Web Server Configuration:

If OCSP stapling is enabled on FortiWeb but not on the web server (e.g., Apache, Nginx), the server might not be providing the stapled OCSP response. Ensure that the web server is configured to support OCSP stapling.

 

  • For Apache, verify the configuration by checking the ssl.conf file for SSLUseStapling and ensure it is set to on.
  • For Nginx, confirm that the ssl_stapling directive is enabled in the server block configuration file.

 

  1. Use Diagnostic Commands:

Commands such as 'openssl s_client -connect testsites.com:443 -status' can be used to verify if the server is returning a stapled OCSP response.

 

This command checks whether the server is returning a stapled OCSP response. Look for the OCSP Response Status: successful in the output to confirm that the response is correctly returned. If not, further investigate the server configuration.

 

  1. Ensure Proper Communication between FortiWeb and OCSP Responder:

FortiWeb must be able to communicate with the OCSP responder (the CA's server issuing the certificates). Check for firewall rules or network issues that may prevent this communication, as it could cause OCSP stapling to fail.

 

  1. Check Network Issues:

Investigate any network problems, DNS resolution issues, or firewalls that may block communication between FortiWeb and the OCSP responder.

  • DNS Resolution: Verify that FortiWeb is using a properly configured DNS server that can resolve the OCSP responder's hostname.
  • Network Firewall: Check that no network firewalls between FortiWeb and the OCSP responder block the required traffic.

 

  1. Verify Certificate Authority (CA) Setup:

Confirm that the CA issuing the certificate supports OCSP and provides timely responses. OCSP stapling may fail if the CA’s responder is down or experiencing delays. Ensure the certificate is correctly configured with OCSP URLs in its AIA (Authority Information Access) field.

 

  1. Review FortiWeb Event Logs:

Analyze FortiWeb event logs to identify any issues related to OCSP.

 

Related document:

Configuring OCSP stapling
108
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.