Godaddy Cert, Exchange 2013 Enterprise, NO PROXY, Revocation Check Failed
Really, REALLY frustrated with this. So I done extensive research and none of the articles I have looked at has fixed the issue. Exchange 2013 running on Windows Server 2012 I have run get-exchangecertificate -server "servername" Documented the thumbprint enable-exchangecertificate - server "servername" -thumbprint " No go I have no proxy server I have a juniper firewall and setup a MIP and policies to allow 443, 25 and 80 to go to my CAS server. When I put the machine in the public, it works fine. In other words, no firewall open to everyone on the web. I'm thinking there is some port that needs to be opened to have the cert revocation work. Here is the dump of my certutil -verify -urlfetch. PS C:\sysadmin> certutil -urlfetch -verify webmail.mydomain.com.crt Issuer: SERIALNUMBER=07969287 CN=Go Daddy Secure Certification Authority OU=http://certificates.godaddy.com/repository O=GoDaddy.com, Inc. L=Scottsdale S=Arizona C=US Name Hash(sha1): 70292276537f1abc8fd53c9484e914cb762a052a Name Hash(md5): 042d5597d3d5978836f3cc27bc59f931 Subject: CN=webmail.mydomain.com OU=Domain Control Validated Name Hash(sha1): be557be1c137c978cecf6d1606a078f0ba75be6e Name Hash(md5): 0a63e2b3f2bb7f91e01ef58b983fa711 Cert Serial Number: 07887e2158c42d dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ChainContext.dwRevocationFreshnessTime: 327 Days, 2 Hours, 40 Minutes, 58 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwRevocationFreshnessTime: 327 Days, 2 Hours, 40 Minutes, 58 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposit ry, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US NotBefore: 3/18/2013 2:49 PM NotAfter: 3/15/2014 8:46 PM Subject: CN=webmail.mydomain.com, OU=Domain Control Validated Serial: 07887e2158c42d SubjectAltName: DNS Name=webmail.mydomain.com, DNS Name=www.webmail.mydomain.com, DNS Name=aas-ex-cas 01.apex.prod, DNS Name=APEX.PROD, DNS Name=mydomain.com, DNS Name=AutoDiscover.APEX.PROD, DNS Name=AutoDiscover mydomain.com, DNS Name=webmail.apex.prod 2d f3 08 88 cd f7 69 a3 40 6b ed 8a 76 2c 8a 3c c6 6d 2e 6d Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt ---------------- Certificate CDP ---------------- Expired "Base CRL (0c)" Time: 0 [0.0] http://crl.godaddy.com/gds1-87.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- Expired "OCSP" Time: 0 [0.0] http://ocsp.godaddy.com/ -------------------------------- CRL (null): Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, LLC", L=Scottsda e, S=Arizona, C=US ThisUpdate: 3/18/2013 4:02 PM NextUpdate: 3/18/2013 10:02 PM 39 7b 2a 5f 78 d5 36 62 2c eb 50 6a cd 39 6c 31 dc 90 e4 dd Issuance[0] = 2.16.840.1.114413.1.7.23.1 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US NotBefore: 11/15/2006 7:54 PM NotAfter: 11/15/2026 7:54 PM Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposi ory, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US Serial: 0301 7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- Verified "Base CRL" Time: 0 [0.0] http://certificates.godaddy.com/repository/gdroot.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- Expired "OCSP" Time: 0 [0.0] http://ocsp.godaddy.com -------------------------------- CRL (null): Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US ThisUpdate: 4/26/2012 2:03 PM NextUpdate: 4/26/2013 2:03 PM d2 73 ad 70 39 95 10 c4 f1 7f d5 0f d7 8c 4f 2c 11 c7 61 a1 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0 Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US NotBefore: 6/29/2004 11:06 AM NotAfter: 6/29/2034 11:06 AM Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US Serial: 00 27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4 Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing Exclude leaf cert: 83 1c c7 85 83 73 fb 26 ce 79 12 ef 9d ef f1 d1 c3 c9 05 23 Full chain: b4 b3 8e 61 f8 e1 0b 9d 5a 46 67 69 83 40 35 68 27 00 1c a1 Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposit ry, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US NotBefore: 3/18/2013 2:49 PM NotAfter: 3/15/2014 8:46 PM Subject: CN=webmail.mydomain.com, OU=Domain Control Validated Serial: 07887e2158c42d SubjectAltName: DNS Name=webmail.mydomain.com, DNS Name=www.webmail.mydomain.com, DNS Name=aas-ex-cas 01.apex.prod, DNS Name=APEX.PROD, DNS Name=mydomain.com, DNS Name=AutoDiscover.APEX.PROD, DNS Name=AutoDiscover mydomain.com, DNS Name=webmail.apex.prod 2d f3 08 88 cd f7 69 a3 40 6b ed 8a 76 2c 8a 3c c6 6d 2e 6d The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-21468856 3) ------------------------------------ Revocation check skipped -- server offline Cert is an End Entity certificate ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation bec use the revocation server was offline. 0x80092013 (-2146885613) CertUtil: The revocation function was unable to check revocation because the revocation server was offline. CertUtil: -verify command completed successfully.
March 19th, 2013 1:51am

Hi Chef, This is a quick note to let you know that we are performing research on this issue.Frank Wang TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2013 5:51am

Hello, Whats the error code when it failed to enable the certificate on Exchange services? Thanks, If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.comSimon Wu TechNet Community Support
March 20th, 2013 9:29am

Sorry for the delay, I have been traveling. I entered the following command in the EMS: get-exchangecertificate -server "server" I then copied the Thumbprint and ran the following command: enable-exchangecertificate -server "server" -thumbprint "thumbprint from get-exchangecertificate" The following was next: cmdlet Enable-ExchangeCertificate at command pipeline position 1 Supply values for the following parameters: Services: iis, smtp [PS] C:\Windows\system32> I then go to the ECP, select the CAS server and the status is still: Revocation check failed I then went to http://certificates.godaddy.com/repository/gdroot.crl in a web browser and it stated that the CRL was successfully imported. This is the first time I have seen this. I'll give it some time and see if this resolves the issue.
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2013 5:23am

Issue resolved. It's amazing after all the searching that I did that I finally found an answer buried in Google searches. As it turns out, my domain controller that I had setup was off by 1 day. The time was spot on, the date however was not. Timezone was set correctly, etc. So, if you run into this issue, check your date and time, then look at other issues. Thanks for your help!
March 24th, 2013 10:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics