Link to home
Start Free TrialLog in
Avatar of timbrigham
timbrighamFlag for United States of America

asked on

SSL Cert - Expired Base CRL

I'm getting some odd behavior from one of my certificates. One of my client computers is in the Philippines. The certificate revocation check is failing. I tried using certutil to locate the specifics. The line I'm concerned about is '  Expired "Base CRL (0128)" Time: 2'.
Is there anything I can do about this beyond hounding GoDaddy?
Issuer:
    SERIALNUMBER=07969287
    CN=Go Daddy Secure Certification Authority
    OU=http://certificates.godaddy.com/repository
    O=GoDaddy.com, Inc.
    L=Scottsdale
    S=Arizona
    C=US
Subject:
    CN=sage.cfcausa.org
    OU=Domain Control Validated
    O=sage.cfcausa.org
Cert Serial Number: b30864338111

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  NotBefore: 5/17/2010 6:48 AM
  NotAfter: 5/17/2013 6:48 AM
  Subject: CN=sage.cfcausa.org, OU=Domain Control Validated, O=sage.cfcausa.org
  Serial: b30864338111
  SubjectAltName: DNS Name=sage.cfcausa.org, DNS Name=www.sage.cfcausa.org
  af 64 77 ec ca 0f 27 34 92 f8 bc 42 e8 71 20 a1 01 38 70 00
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt

  ----------------  Certificate CDP  ----------------
  Expired "Base CRL (0128)" Time: 2
    [0.0] http://crl.godaddy.com/gds1-18.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Expired "OCSP" Time: 0
    [0.0] http://ocsp.godaddy.com/

  --------------------------------
    CRL (null):
    Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
    a6 e3 43 86 48 b5 24 a5 f3 37 b6 b4 c4 f9 36 08 37 2f 20 b7
  Issuance[0] = 2.16.840.1.114413.1.7.23.1 
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 11/15/2006 5:54 PM
  NotAfter: 11/15/2026 5:54 PM
  Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  Serial: 0301
  7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  Verified "Base CRL" Time: 0
    [0.0] http://certificates.godaddy.com/repository/gdroot.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Expired "OCSP" Time: 0
    [0.0] http://ocsp.godaddy.com

  --------------------------------
    CRL (null):
    Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
    71 5e 17 9c e1 9d 21 fb 41 90 1d f9 88 4b 48 48 ba 9c 39 a2
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 6/29/2004 9:06 AM
  NotAfter: 6/29/2034 9:06 AM
  Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Serial: 00
  27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

Exclude leaf cert:
  db c6 89 f7 80 c3 d8 9e 1f 5b b0 7b 17 99 ac 78 96 72 03 3b
Full chain:
  be f4 47 1d e2 f6 27 8f 5b b1 5f b1 8b b9 ab d4 ed be 29 f2
------------------------------------
Verified Issuance Policies:
    2.16.840.1.114413.1.7.23.1
Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

Open in new window

Avatar of lloydclinton
lloydclinton

Do you have the GoDaddy intermediate certificate installed also?
ASKER CERTIFIED SOLUTION
Avatar of timbrigham
timbrigham
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
That would do it.  Glad you have it fixed!
Avatar of timbrigham

ASKER

Found solution myself.