OCSP responder url configured on NetScaler not resolving correctly

OCSP responder url configured on NetScaler not resolving correctly

book

Article ID: CTX218959

calendar_today

Updated On:

Description

With OCSP responders configuration with URL as input. The OCSP responder stop working id IP changes for that URL by DNS.

Resolution

  • Add the name server that resolves the domain name http://ocsp.server.com
  • Add a lb vserver of type tcp and port 80 (Or any other port on which the ocsp responder is running) e.g add lb vserver v1 tcp <vip> 80  
  • Add a service with that domain name and bind it to the vserver
  • Add the ocsp responder with full url but with ip of the lb vserver e.g add ocsp responder ocsp1 -url http://<vip>/ocsp
  • Bind the ocsp responder to the ca cert.
 

Problem Cause

When NetScaler configure OCSP responder url, it does resolve that url once and use resolved ip for all following operations. When DNS changes that ip for given url, NetScaler doesn’t update it’s entry as it is not doing poling or monitoring for that url or ip.
 
Powered by Wolken Software