Godaddy Cert, Exchange 2013 Enterprise, NO PROXY, Revocation Check Failed
Really, REALLY frustrated with this. So I done extensive research and none of the articles I have looked at has fixed the issue. Exchange 2013 running on Windows Server 2012
I have run get-exchangecertificate -server "servername" Documented the thumbprint
enable-exchangecertificate - server "servername" -thumbprint "
No go
I have no proxy server
I have a juniper firewall and setup a MIP and policies to allow 443, 25 and 80 to go to my CAS server.
When I put the machine in the public, it works fine. In other words, no firewall open to everyone on the web. I'm thinking there is some port that needs to be opened to have the cert revocation work.
Here is the dump of my certutil -verify -urlfetch.
PS C:\sysadmin> certutil -urlfetch -verify webmail.mydomain.com.crt
Issuer:
SERIALNUMBER=07969287
CN=Go Daddy Secure Certification Authority
OU=http://certificates.godaddy.com/repository
O=GoDaddy.com, Inc.
L=Scottsdale
S=Arizona
C=US
Name Hash(sha1): 70292276537f1abc8fd53c9484e914cb762a052a
Name Hash(md5): 042d5597d3d5978836f3cc27bc59f931
Subject:
CN=webmail.mydomain.com
OU=Domain Control Validated
Name Hash(sha1): be557be1c137c978cecf6d1606a078f0ba75be6e
Name Hash(md5): 0a63e2b3f2bb7f91e01ef58b983fa711
Cert Serial Number: 07887e2158c42d
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 327 Days, 2 Hours, 40 Minutes, 58 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 327 Days, 2 Hours, 40 Minutes, 58 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposit
ry, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotBefore: 3/18/2013 2:49 PM
NotAfter: 3/15/2014 8:46 PM
Subject: CN=webmail.mydomain.com, OU=Domain Control Validated
Serial: 07887e2158c42d
SubjectAltName: DNS Name=webmail.mydomain.com, DNS Name=www.webmail.mydomain.com, DNS Name=aas-ex-cas
01.apex.prod, DNS Name=APEX.PROD, DNS Name=mydomain.com, DNS Name=AutoDiscover.APEX.PROD, DNS Name=AutoDiscover
mydomain.com, DNS Name=webmail.apex.prod
2d f3 08 88 cd f7 69 a3 40 6b ed 8a 76 2c 8a 3c c6 6d 2e 6d
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt
---------------- Certificate CDP ----------------
Expired "Base CRL (0c)" Time: 0
[0.0] http://crl.godaddy.com/gds1-87.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 0
[0.0] http://ocsp.godaddy.com/
--------------------------------
CRL (null):
Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, LLC", L=Scottsda
e, S=Arizona, C=US
ThisUpdate: 3/18/2013 4:02 PM
NextUpdate: 3/18/2013 10:02 PM
39 7b 2a 5f 78 d5 36 62 2c eb 50 6a cd 39 6c 31 dc 90 e4 dd
Issuance[0] = 2.16.840.1.114413.1.7.23.1
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
NotBefore: 11/15/2006 7:54 PM
NotAfter: 11/15/2026 7:54 PM
Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposi
ory, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Serial: 0301
7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL" Time: 0
[0.0] http://certificates.godaddy.com/repository/gdroot.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 0
[0.0] http://ocsp.godaddy.com
--------------------------------
CRL (null):
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
ThisUpdate: 4/26/2012 2:03 PM
NextUpdate: 4/26/2013 2:03 PM
d2 73 ad 70 39 95 10 c4 f1 7f d5 0f d7 8c 4f 2c 11 c7 61 a1
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
NotBefore: 6/29/2004 11:06 AM
NotAfter: 6/29/2034 11:06 AM
Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Serial: 00
27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
Exclude leaf cert:
83 1c c7 85 83 73 fb 26 ce 79 12 ef 9d ef f1 d1 c3 c9 05 23
Full chain:
b4 b3 8e 61 f8 e1 0b 9d 5a 46 67 69 83 40 35 68 27 00 1c a1
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposit
ry, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotBefore: 3/18/2013 2:49 PM
NotAfter: 3/15/2014 8:46 PM
Subject: CN=webmail.mydomain.com, OU=Domain Control Validated
Serial: 07887e2158c42d
SubjectAltName: DNS Name=webmail.mydomain.com, DNS Name=www.webmail.mydomain.com, DNS Name=aas-ex-cas
01.apex.prod, DNS Name=APEX.PROD, DNS Name=mydomain.com, DNS Name=AutoDiscover.APEX.PROD, DNS Name=AutoDiscover
mydomain.com, DNS Name=webmail.apex.prod
2d f3 08 88 cd f7 69 a3 40 6b ed 8a 76 2c 8a 3c c6 6d 2e 6d
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-21468856
3)
------------------------------------
Revocation check skipped -- server offline
Cert is an End Entity certificate
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation bec
use the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
March 19th, 2013 1:51am
Hi Chef,
This is a quick note to let you know that we are performing research on this issue.Frank Wang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2013 5:51am
Hello,
Whats the error code when it failed to enable the certificate on Exchange services?
Thanks,
If you have feedback for TechNet Subscriber Support, contact
tnsfl@microsoft.comSimon Wu
TechNet Community Support
March 20th, 2013 9:29am
Sorry for the delay, I have been traveling. I entered the following command in the EMS:
get-exchangecertificate -server "server"
I then copied the Thumbprint and ran the following command:
enable-exchangecertificate -server "server" -thumbprint "thumbprint from get-exchangecertificate"
The following was next:
cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Services: iis, smtp
[PS] C:\Windows\system32>
I then go to the ECP, select the CAS server and the status is still: Revocation check failed
I then went to http://certificates.godaddy.com/repository/gdroot.crl in a web browser and it stated that the CRL was successfully imported. This is the first time I have seen this. I'll give it some time and see if this resolves the issue.
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2013 5:23am
Issue resolved. It's amazing after all the searching that I did that I finally found an answer buried in Google searches. As it turns out, my domain controller that I had setup was off by 1 day. The time was spot on, the date however was
not. Timezone was set correctly, etc.
So, if you run into this issue, check your date and time, then look at other issues.
Thanks for your help!
March 24th, 2013 10:19am