This article describes how to troubleshoot OCSP issues in FortiWeb.
Scope
FortiWeb v7.0.0 and later.
Solution
Check Web Server Configuration: If OCSP stapling is enabled on FortiWeb but not on the web server (for example Apache, Nginx), the server might not be providing the stapled OCSP response. Ensure that the web server is configured to support OCSP stapling:
For Apache, verify the configuration by checking the ssl.conf file for SSLUseStapling and ensure it is set to on.
For Nginx, confirm that the ssl_stapling directive is enabled in the server block configuration file.
Use Diagnostic Commands: Commands such as 'openssl s_client -connect testsites.com:443 -status' can be used to verify if the server is returning a stapled OCSP response.
This command checks whether the server is returning a stapled OCSP response. Look for the OCSP Response Status: successful in the output to confirm that the response is correctly returned. If not, further investigate the server configuration.
Ensure Proper Communication between FortiWeb and OCSP Responder: FortiWeb must be able to communicate with the OCSP responder (the CA's server issuing the certificates). Check for firewall rules or network issues that may prevent this communication, as it could cause OCSP stapling to fail.
Check Network Issues: Investigate any network problems, DNS resolution issues, or firewalls that may block communication between FortiWeb and the OCSP responder.
DNS Resolution: Verify that FortiWeb is using a properly configured DNS server that can resolve the OCSP responder's hostname.
Network Firewall: Check that no network firewalls between FortiWeb and the OCSP responder block the required traffic.
Verify Certificate Authority (CA) Setup:
Confirm that the CA issuing the certificate supports OCSP and provides reliable and timely responses. Use the CA's management tools or contact their support team to ensure the OCSP responder is functioning correctly.
Ensure the certificate has the correct OCSP URLs included in the AIA (Authority Information Access) field. If the CA’s OCSP responder is down or experiencing delays, it may cause issues with OCSP stapling on FortiWeb.
Review FortiWeb Event Logs: Analyze FortiWeb event logs to identify any issues related to OCSP.
Check FortiWeb Firmware and Configuration Settings:
Verify that FortiWeb is running the latest firmware version compatible with the deployment. Firmware updates often include fixes or enhancements related to OCSP stapling and certificate handling.
Review the FortiWeb configuration settings for SSL/TLS profiles to ensure that OCSP stapling is enabled and configured correctly.
Monitor the availability and responsiveness of the CA’s OCSP responder:
If the responder becomes unavailable, OCSP stapling on FortiWeb will fail, potentially causing security warnings.
Use monitoring tools such as UptimeRobot or Nagios to track OCSP URLs and generate alerts in case of downtime.
