stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
bf20ffe3d237d6628cf4c23357924f502146bd18
git.stella-ops.org/docs/doctor/articles/timestamping/ocsp-responder.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

1.7 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.timestamp.ocsp.responder stellaops.doctor.timestamping warn
timestamping
ocsp
responder
revocation

OCSP Responder Availability

What It Checks

Checks that configured OCSP responders are accessible. The check:

  • Gets configured OCSP responders from the registry.
  • Sends an OPTIONS request to each responder with a 10-second timeout.
  • Considers 2xx and 405 (Method Not Allowed) responses as healthy.
  • Fails if all responders are unavailable. Warns if some are unavailable.
  • Reports degraded if no responders are configured.

Why It Matters

OCSP responders provide real-time certificate revocation status. If OCSP responders are unavailable, the system cannot verify whether TSA certificates have been revoked, potentially accepting timestamps from compromised certificates.

Common Causes

  • OCSP responder server is down
  • Network connectivity issues
  • Firewall blocking HTTP/HTTPS to OCSP URLs
  • OCSP responder URL changed by the CA

How to Fix

Docker Compose

# Test OCSP responder connectivity
docker exec <platform-container> curl -v http://ocsp.digicert.com

Bare Metal / systemd

# Test OCSP responder
openssl ocsp -issuer /path/to/issuer.pem -cert /path/to/cert.pem \
  -url http://ocsp.digicert.com -resp_text

Kubernetes / Helm

Ensure egress NetworkPolicies allow traffic to OCSP responder URLs.

Verification

stella doctor run --check check.timestamp.ocsp.responder

Related Checks

  • check.timestamp.ocsp.stapling — checks OCSP stapling configuration
  • check.timestamp.revocation.cache-fresh — checks revocation cache freshness
  • check.timestamp.crl.distribution — checks CRL distribution point availability