You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "bneradt (via GitHub)" <gi...@apache.org> on 2023/06/09 20:09:37 UTC

[GitHub] [trafficserver] bneradt opened a new issue, #9819: 10.0.x: OCSP errors on startup

bneradt opened a new issue, #9819:
URL: https://github.com/apache/trafficserver/issues/9819

@maskit converted the mechanism for OCSP fetch from the openssl's implementation to using FetchSM via #9591. This is a necessary and valuable change to give us flexibility with our SSL library options. However when testing ATS 10 internally at Yahoo, I noticed the following OCSP ERROR messages on process start:

```
[Jun 9 19:12:30.086] [ET_OCSP 0] ERROR: Failed to refresh OCSP for <path> certificate. url=http://ocsp.digicert.com
[Jun 9 19:12:30.087] [ET_OCSP 0] ERROR: failed to get a response from OCSP server; uri=http://ocsp.digicert.com
[Jun 9 19:12:30.087] [ET_OCSP 0] ERROR: stapling_refresh_response: failed to refresh OCSP response
```

These error messages are alarming. Talking with @maskit, however, he points out that these failures are due to FetchSM not being initialized in the early process startup phase that's trying to use it. Later on, after the ATS process is finished, the fetch works fine. So OCSP works fine, just not during process start.

We should consider whether we can silence these messages on process initialization or, potentially, perform the fetch later when FetchSM is fully initialized.

--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficserver.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org