Improve company productivity with a Business Account.Sign Up

x
?
Solved

SSL Cert -   Expired Base CRL

Posted on 2011-03-03
4
Medium Priority
?
1,673 Views
Last Modified: 2012-05-11
I'm getting some odd behavior from one of my certificates. One of my client computers is in the Philippines. The certificate revocation check is failing. I tried using certutil to locate the specifics. The line I'm concerned about is '  Expired "Base CRL (0128)" Time: 2'.
Is there anything I can do about this beyond hounding GoDaddy?
Issuer:
    SERIALNUMBER=07969287
    CN=Go Daddy Secure Certification Authority
    OU=http://certificates.godaddy.com/repository
    O=GoDaddy.com, Inc.
    L=Scottsdale
    S=Arizona
    C=US
Subject:
    CN=sage.cfcausa.org
    OU=Domain Control Validated
    O=sage.cfcausa.org
Cert Serial Number: b30864338111

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  NotBefore: 5/17/2010 6:48 AM
  NotAfter: 5/17/2013 6:48 AM
  Subject: CN=sage.cfcausa.org, OU=Domain Control Validated, O=sage.cfcausa.org
  Serial: b30864338111
  SubjectAltName: DNS Name=sage.cfcausa.org, DNS Name=www.sage.cfcausa.org
  af 64 77 ec ca 0f 27 34 92 f8 bc 42 e8 71 20 a1 01 38 70 00
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt

  ----------------  Certificate CDP  ----------------
  Expired "Base CRL (0128)" Time: 2
    [0.0] http://crl.godaddy.com/gds1-18.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Expired "OCSP" Time: 0
    [0.0] http://ocsp.godaddy.com/

  --------------------------------
    CRL (null):
    Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
    a6 e3 43 86 48 b5 24 a5 f3 37 b6 b4 c4 f9 36 08 37 2f 20 b7
  Issuance[0] = 2.16.840.1.114413.1.7.23.1 
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 11/15/2006 5:54 PM
  NotAfter: 11/15/2026 5:54 PM
  Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  Serial: 0301
  7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  Verified "Base CRL" Time: 0
    [0.0] http://certificates.godaddy.com/repository/gdroot.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Expired "OCSP" Time: 0
    [0.0] http://ocsp.godaddy.com

  --------------------------------
    CRL (null):
    Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
    71 5e 17 9c e1 9d 21 fb 41 90 1d f9 88 4b 48 48 ba 9c 39 a2
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 6/29/2004 9:06 AM
  NotAfter: 6/29/2034 9:06 AM
  Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Serial: 00
  27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

Exclude leaf cert:
  db c6 89 f7 80 c3 d8 9e 1f 5b b0 7b 17 99 ac 78 96 72 03 3b
Full chain:
  be f4 47 1d e2 f6 27 8f 5b b1 5f b1 8b b9 ab d4 ed be 29 f2
------------------------------------
Verified Issuance Policies:
    2.16.840.1.114413.1.7.23.1
Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

Open in new window

0
Comment
Question by:timbrigham
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:lloydclinton
ID: 35033477
Do you have the GoDaddy intermediate certificate installed also?
0
 
LVL 1

Accepted Solution

by:
timbrigham earned 0 total points
ID: 35033493
Yes. I just found the solution - the bloody time zone wasn't set right on the remote computer, therefore it was always 12-24 hours ahead of when the current crl is valid. Fixed now.
0
 
LVL 3

Expert Comment

by:lloydclinton
ID: 35033506
That would do it.  Glad you have it fixed!
0
 
LVL 1

Author Closing Comment

by:timbrigham
ID: 35081174
Found solution myself.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Current business processes need to constantly adapt to changing threats. Surely we do not want to be the next victim. We can take an active stance and stay agile. This article shares some tips.
A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question