1. First, verify connectivity to OCSP responder from Azure’s network:
# Create a test VM in the same subnet as your App Gateway az vm create --resource-group MyResourceGroup --name TestVM --image UbuntuLTS --vnet-name MyVNet --subnet MySubnet --admin-username azureuser # SSH into the VM and test OCSP responder openssl ocsp -issuer intermediate.crt -cert client.crt -url http://ocsp.yourca.com -text
2. Check current SSL policy settings:
az network application-gateway ssl-policy show \ --resource-group MyResourceGroup \ --gateway-name MyAppGateway
3. Disable OCSP stapling (workaround):
az network application-gateway ssl-policy set \ --resource-group MyResourceGroup \ --gateway-name MyAppGateway \ --name AppGwSslPolicy \ --disabled-ssl-protocols TLSv1_0 TLSv1_1 \ --policy-type Custom \ --cipher-suites 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' \ --min-protocol-version TLSv1_2 \ --no-ocsp-stapling
4. Enable verbose logging for troubleshooting:
5. If needed, force CRL-based revocation instead:
az network application-gateway http-settings update \ --resource-group MyResourceGroup \ --gateway-name MyAppGateway \ --name myhttpsettings \ --ssl-cert <cert-name> \ --crl-enabled true
6. To check SSL handshake failures:
az network application-gateway waf-config show \ --resource-group MyResourceGroup \ --gateway-name MyAppGateway
For the permanent fix, I recommend opening a support ticket with these details:
az support tickets create \ --title "OCSP Validation Failure in App Gateway" \ --description "OCSP works externally but fails in App Gateway" \ --severity minimal \ --contact-email "rajeev@example.com" \ --contact-phone "1234567890" \ --contact-first-name "Rajeev" \ --contact-last-name "G" \ --subtype "Technical" \ --problem-classification "/providers/Microsoft.Support/services/{serviceGUID}/problemClassifications/{problemClassificationGUID}"
RGDS,
Alex