Guest

Preview Tool

Cisco Bug: CSCvs45299 - CMX Slow Certificate Install - OCSP Timeout

Last Modified

Sep 10, 2020

Products (1)

  • Cisco Mobility Services Engine

Known Affected Releases

10.6(2)

Description (partial)

Symptom:
Installing server certificates on CMX containing OCSP URI(s) can potentially result in a lengthy install taking roughly 30 minutes.
Two OCSP requests are performed, where each check can take roughly 15 minutes in length before an "Error querying OCSP responder" error is thrown and the install script continues.



[root@cmx-test cmxadmin]# cmxctl config certs importservercert server-key.pem
 
Importing Server certificate.....
 
Successfully transferred the file
Would you like to override the current Server Certificate(y/n): y
Enter Export Password:
Verifying - Enter Export Password:
Enter Import Password:
Private key present in the file: /home/cmxadmin/server-key.pem
Enter Import Password:
 
Found CRL URI(s)
 
CRL successfully downloaded from <removed>
This is new CRL. Adding to the CRL collection.
FIPS mode is disabled. Skipping Check for subjectAltName(SAN).
Error querying OCSP responder     <--------------- output after 15 min wait
ERROR: Unable to connect to OCSP Server. Ignoring OCSP check...
CMX Certificate validation against CRL is successful.
INFO: 2 issuers in CRL matched the issuers in the CA chain. (No certificate is revoked.)
Error querying OCSP responder     <--------------- output after 15 min wait
Import Server Certificate successful
Restart CMX services for the changes to take effect.
Server certificate imported successfully.
 
To apply these certificate changes, CMX System will require a reboot now.
Please press Enter to continue.

Conditions:
CMX 10.6.2-57
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.