Job Failure "The OCSP response status was UNAUTHORIZED" Observed in System Setup or Fault Received via Email (KBA8278)
KBA
KBA# 8278
Issue
When enabling the Central Management or Data Control Tower connector in System Setup, or during normal operation after the Connector has been installed, the following job failure may be encountered.
This will only be encountered if the Delphix Engine is able to communicate with ocsp.godaddy.com.
Example 1:
Enable the Central Management Connector.
The OCSP response status was UNAUTHORIZED.
exception.cloud.certificate.validation.failed.o_c_s_p.response.bad.status
Wait and try again. If the problem persists contact customer support.
Example 2:
Enable the Data Control Tower Connector.
The OCSP response status was UNAUTHORIZED.
exception.cloud.certificate.validation.failed.o_c_s_p.response.bad.status
Wait and try again. If the problem persists contact customer support.
This message may be encountered for any Engine versions 5.3.5.0 - 6.0.10.1 that have not had an active Connector (Agent) installation, or have not received recent Agent updates.
Delphix Data Control Tower has recently transitioned from GoDaddy to Digicert for OCSP validation. The error occurs as the default Engine behavior in these versions is hard-coded to still validate the Connector (Agent) software signature with GoDaddy. If those Engines are able to resolve and communicate with ocsp.godaddy.com, the signature check now returns UNAUTHORIZED status as that service is no longer available.
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1 5.3
5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0
Resolution
There are several options available for resolution, depending on the Engine version and network configuration.
Engine Versions 6.0.4.0 - 6.0.10.1 - Firewall Restriction
This event will be encountered if the Engine is able to successfully connect with ocsp.godaddy.com. Therefore, if firewall access previously documented for GoDaddy FQDN or IP addresses is revoked, the Engine logic will fall-back to OCSP validation via api.delphix.com.
Engine versions in this range can work around this issue by simply revoking this firewall access, and the Engine will automatically fall-back on the next update cycle (occurs every 12 hours).
Engine Versions 6.0.5.0 - 6.0.10.1 - Disable Name Resolution for ocsp.godaddy.com
Introduced in 6.0.5.0, sysadmin CLI now offers the ability to create manual entries to override the Engine name resolution. By leveraging this feature, an unresolvable hostname - IP address entry for ocsp.godaddy.com may be created, which will cause the Engine fallback logic discussed in previous section to be automatically leveraged. This option may be preferable for those customers with infrastructure challenges, as some firewall changes can take days or weeks to be implemented.
This workaround will also require that the Engine Agent configuration is set to direct access; use of an HTTP proxy may negate the local hostname resolution changes as the HTTP proxy server will perform its own hostname lookup.
> /service host address; create; set hostname=ocsp.godaddy.com; set addresses=0.0.0.0; commit > /service cloud; enable; set proxyMode=NO_PROXY; commit
This feature is also discussed in KBA8150.
All Other Instances
If the aforementioned workarounds are not available due to network configuration, or if the Delphix Engine version is < 6.0.5.0, and you wish to onboard an Engine in Data Control Tower, please contact Delphix Support who can resolve this issue.
This behavior is ultimately resolved in Delphix 6.0.11.0
Related Articles
The following articles may provide more information or related information to this article:
- KBA8150 - Manually Adding an IP Address to URL/Hostname Mapping
- Delphix Documentation - Getting Started with Data Control Tower