I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."

The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service.  This is apparent when executing a search, accessing the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site.  I've looked at the certificate assigned to that site and everything appears to be in order.  It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).

What Ive tried so far:

• Ive been all over the certificate settings, both in the server store, and within SharePoint Token Service config.  Both appear to be configured correctly such that the root CAs can be validated.
• Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause.  Ive also verified the service accounts reporting the error, do have access to the configuration database.
• Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this MS Tech note.

So far nothing has worked.  Is there anything else I could be looking at that I've missed? (Full eventlog detail below)

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Date:          2/20/2015 11:19:41 AM
Event ID:      8311
Task Category: Topology
Level:         Error
Keywords:      
User:          <SP SERVICE ACCOUNT>
Computer:      <SHAREPOINTSERVER>
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
    <EventID>8311</EventID>
    <Version>14</Version>
    <Level>2</Level>
    <Task>13</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
    <EventRecordID>1611121</EventRecordID>
    <Correlation />
    <Execution ProcessID="10212" ThreadID="10328" />
    <Channel>Application</Channel>
    <Computer><SHAREPOINTSERVER></Computer>
    <Security UserID="<SP SERVICE ACCOUNT>" />
  </System>
  <EventData>
    <Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
    <Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
    <Data Name="string2"><STS CERT THUMBPRINT></Data>
    <Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
</Data>
  </EventData>
</Event>

Hi Darren,

This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website

In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands

$rootCert = (Get-SPCertificateAuthority).RootCertificate 
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert 

After running the above commands, perform an IISReset on all servers in the farm.

More information:

http://support.microsoft.com/kb/2545744

Best Regards,

Wendy

Forum Support

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Been there, done that, bought the t-shirt.  That was one of the first things I tried.  Even looking at the certificate entries under Managed Trust, the original "local" root is still there with the correct thumbprint that exists for the root in the server store.

This one is definitely a puzzle!

Hi Darren,

Please check if the links are useful for you:

http://wp.ahcheng.com/2014/05/16/an-unrecognized-http-response-was-received-trustfailure-could-not-establish-trust-relationship-ssltls/

http://cheekssp.blogspot.jp/2014/10/this-error-appears-in-windows-event.html

Best Regards,

Wendy

Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

I have looked at both of these.  The error is specific to the SharePoint STS certificate.  I've verified both in the server certificate store and in SharePoint (managed trust) and both are correct, but the error persists.

Grasping at straws, I've also tried clearing the SharePoint cache and rebooting all servers in the farm.

Hi Darren, 

We are currently looking into this issue and will give you an update as soon as possible.
 
Thank you for your understanding and support.

Best Regards,

Wendy

Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Hi Darren,

Regarding this issue, it seems you already did a lot. Very less options of steps left at this point.

If possible please create a temporary_UPA, so then the current UPA may not be affected.

If I may ask, do you have any CRL checking process in your environment? If yes, then is it possible if you disable for the testing purpose ?

Thanks,

Wendy

Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Hi Darren,

Do you have any update for this issue? If you have any update, please feel free to reply.

Best Regards,

Wendy

No success so far.  I've tried disabling CRL checking just for the SharePoint web services site, and for the entire server.  

Hi Darren,

This issue most probably have the certification issue, please check the followings:
- Check the trust chain of the certificate is what?. Found out that the root certificate is what?
- check if the certificate is installed on all the servers under Trusted Root Authorities on the local machine.
- If observed that there are also 2 certificates depending on.
- Install all the certificates on all machines.
- Upload the certificates also in the SharePoint certificate store under the Central Admin-> Security->General Security->Manage Trust.
- IIS reset.

Best Regards,
Wendy

Hi,

Do you have any update for this issue?

Best Regards,

Wendy