DigiCert changing IP adresses for OCSP on 26.04.2021 #510
SuperJuell
started this conversation in
General
Replies: 1 comment
-
Update by eDEC 27.04.2021: "Dear Peppol Service Providers, After consideration DigiCert has decided to postpone the OCSP IP address update which was communicated earlier on Thursday 22th. The new date is now: June 15, 2021, which gives more time for anyone who might need to adjust firewall settings. Best regards, OpenPeppol Operating Office" |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi all,
A mail regarding the change of IP adresses at DigiCert was sent to Oxalis yesterday. This should not be a problem for any Oxalis users, but if there are problems on Monday have a look at this before reporting errors:
Dear Peppol Service Providers,
On April 26th, at 23:00 UTC, our PKI provider DigiCert will change the IP address range of its OCSP server. The OCSP server is used to check if a certificate is revoked or not. Each Peppol Access Point should run such OCSP checks either implicitly or explicitly. By default, the OCSP server is accessed with its domain name, and as only the IP address changes, there is NO need for changing anything in your Access Point implementation. However, if you have firewalls that need opening make sure to do so.
The exact impact is hard to determine and may vary from Service Provider to Service Provider, but we assume that it will take up to 24 hours until this change is propagated through the entire DNS system. Depending on when DigiCert finishes their changes, and how they implement it, we MAY see an increased number of failures to verify the validity of a Peppol certificate.
If this will be an issue (we honestly can’t say but don’t expect it to), it may be necessary to temporarily turn off OCSP certificate validation in your Access Point software to avoid disruptions in the network – please contact your AP software vendor directly, we can’t help you with the technical details.
This is the full message from DigiCert, that was brought to our attention just today:
Starting April 26, 2021, at 17:00 MDT (23:00 UTC), the CRL and OCSP IP addresses will change for DigiCert PKI Platform 7 and 8 to deliver validation services via DigiCert’s highly-available Content Delivery Network (CDN).
These CDN IP addresses will replace the IP addresses for all CRL and OCSP URLs for DigiCert PKI Platform 7 and 8.
What is the impact?
This change only affects environments that use DigiCert-hosted CRLs and OCSP services when using IP addresses instead of FQDNs for validation services.
You are not affected when you use your own CRL Distribution Points (local URLs).
When you already use IP allowlisting (whitelisting) for validation services, do not remove any firewall configurations. Add the new IP addresses instead.
What do I need to do?
If you have firewalls or access control devices using IP addresses instead of domains, you must add the following CDN IP addresses to your existing allowlist.
New CDN IP Addresses
117.18.237.29
192.16.58.8
93.184.220.29
72.21.91.29 |
Validation Service CRL
Validation Service OCSP
For PKI, DigiCert does not recommend the use of IP address allow listing as we cannot guarantee IP address changes.
Thank you,
DigiCert Team
Best regards,
OpenPeppol Operating Office
Beta Was this translation helpful? Give feedback.
All reactions