question

JrgSchoppmann-9107 avatar image
0 Votes"
JrgSchoppmann-9107 asked HannahXiong-MSFT commented

Certificate Request Fails - CRL not Reachable but is reachable

Hey Guys, Im literally going nuts on this one.

Im trying to issue an Certificate and always get "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)"
When I try to download the CRL via Browser or certutil to retrieve the CRLs it both works fine.
I also disabled checking of revocation and it started to work after that but its not an option.

Can someone might give me some guidance where to look at ? Im already cant see the forest for the trees.

My Setup consists of an Offline Root and online Intermediate CA, the CRL is hosted on Azure Storage Account / Azure CDN using custom domain.

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered

Hello @JrgSchoppmann-9107,

Thank you so much for posting here.

The issue seems to be a little unique. As stated, we could access the CRL and there is no error when we run certutil.

I would like to have a recheck with you. When we run the command Certutil -urlfetch -verify c:\certificate.cer, it works fine, am I right?

118873-image.png

Besides, have we checked the PKIVEW.msc on the issuing CA? is there any error?

118818-image.png

Have we made any change recently? As mentioned, the CRL is hosted on Azure Storage Account / Azure CDN using custom domain. Sorry that we are not professional with Azure since we focus on on-premises AD.

Thanks for your time and support.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.





image.png (92.2 KiB)
image.png (26.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JrgSchoppmann-9107 avatar image
0 Votes"
JrgSchoppmann-9107 answered

Thank you for your feedback - I think I also found the reason but not sure how to fix it.
Indeed the Delta CRL is expired ... even though the current one was uploaded and is recent.
For some weird reason it shows 14th August 2020 as expiring date and wont update. I can download the current delta CRL from the given server without a problem. (I can remember it broke back end of May 2021 and it worked like a charm until then but never had time to take care and haven't changed anything in this setup.)

I already tried several times to clear the urlcache but it doesnt change anything even after rebooting the CA.

119061-image.png



image.png (18.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JrgSchoppmann-9107 avatar image
0 Votes"
JrgSchoppmann-9107 answered HannahXiong-MSFT commented

Im not sure yet but I think it was caused by either Azure CDN caching behavior or my companies ISP caching.
For Azure I set a global cache bypass rule for the endpoint and in the same time asked my ISP to exclude the given URLS from their backbone caching. Not sure what kicked in first... but both Normal and Delta got updated.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JrgSchoppmann-9107,

Thank you so much for your feedback.

So glad to hear that both normal and Delta got updated now. That is to say, we could request the certificate now. If there is any misunderstanding, please feel free to let me know.

Thanks for sharing your experience here. If there is anything else I can do for you, please do not hesitate to let me know and I will be very happy to help.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·