-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
Evergreen tasks are consistently logging OCSP responder errors when contacting Amazon KMS servers:
[2020/06/05 23:32:36.479] 2020/06/05 23:32:36.0390: [71201]: DEBUG: mongoc: Could not perform an OCSP request for url 'http://ocsp.sca1b.amazontrust.com'. Error: error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error [2020/06/05 23:32:36.479] 2020/06/05 23:32:36.0390: [71201]: DEBUG: mongoc: Soft-fail: No OCSP responder could be reached
These are soft failures, so they do not fail the tests. But these OCSP requests should succeed. I can manually make an OCSP request with OpenSSL commands. The certificates and instructions are attached in kms-ocsp-cli.zip for convenience.
These logs have been showing for a while. They go back as far as CDRIVER-3668:
https://evergreen.mongodb.com/task/mongo_c_driver_gcc48rhel_test_latest_server_noauth_sasl_openssl_cse_733322e98fdad8d4cf5fa2ce2f256d8e014ce51e_20_06_05_17_49_51
I can reproduce this locally by running the client side encryption tests when building against OpenSSL.
> ./cmake-build/src/libmongoc/test-libmongoc --no-fork -d -l /client_side_encryption/distinct ... Begin /client_side_encryption/distinct, seed 1569892307 - distinct with deterministic encryption 2020/07/06 10:39:15.0057: [55294]: DEBUG: mongoc: Could not send OCSP request for url 'http://ocsp.sca1b.amazontrust.com'. Error: error:27076072:OCSP routines:parse_http_line1:server response error 2020/07/06 10:39:15.0057: [55294]: DEBUG: mongoc: Soft-fail: No OCSP responder could be reached - Distinct fails when filtering on a random encrypted field { "status": "pass", "test_file": "/client_side_encryption/distinct", "seed": "1569892307", "start": 608.732156, "end": 609.732042, "elapsed": 0.999886 }
I suspected CDRIVER-3668 caused a regression, but checking out prior commits shows the same behavior.
Capturing the OCSP requests with wireshark shows that the requests do not include the "Host" HTTP header. Amazon servers appear to reject requests without the host header.
Sidenote: The "Host" header was required in the HTTP requests to link local addresses AWS auth, hence this comment.