Troubleshooting OCSP (DNS?) configuration
Now I have 11.6.0
Now I have a certificate without SHA-1 (too avoid the Google Chrome degrade next month about certificates that expire after 2016/01/01 using SHA-1 signature).
I would like to set up OCSP Stapling.
Create a DNS resolver, tell it to forward for zone "." (?!) in route domain 0.
Add DNS resolver and certificate authority certificate to OCSP stapling.
Add the OCSP stapling to SSL profile at the same time as the certificate.
Apply the new SSL profile to the relevant virtual server.
Use "openssl s_client -tls1 -tlsextdebug -status -connect www.example.com:443"
It says "no OCSP response".
Check logs via web interface, nothing obviously wrong.
I presume either the DNS resolver in route domain 0 is not working. Or the Trusted Certificate Authority in the OCSP object is the wrong kind of thing?!
Or I've messed up setting the SSL profile, as the relationship between "chain" and "OCSP Profile" seems a little odd to my way of thinking, then again unless I add the "chain" and the OCSP profile at the same time the UI complains it already exists.
What steps should I take to confirm which of these is affected (we've not needed DNS before on F5s). I'm not sure I really want F5 caching DNS either, but shouldn't matter.
Worked examples of setting up OCSP appreciated.