Solved

SSL Cert -   Expired Base CRL

Posted on 2011-03-03
4
1,488 Views
Last Modified: 2012-05-11
I'm getting some odd behavior from one of my certificates. One of my client computers is in the Philippines. The certificate revocation check is failing. I tried using certutil to locate the specifics. The line I'm concerned about is '  Expired "Base CRL (0128)" Time: 2'.
Is there anything I can do about this beyond hounding GoDaddy?
Issuer:
    SERIALNUMBER=07969287
    CN=Go Daddy Secure Certification Authority
    OU=http://certificates.godaddy.com/repository
    O=GoDaddy.com, Inc.
    L=Scottsdale
    S=Arizona
    C=US
Subject:
    CN=sage.cfcausa.org
    OU=Domain Control Validated
    O=sage.cfcausa.org
Cert Serial Number: b30864338111

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  NotBefore: 5/17/2010 6:48 AM
  NotAfter: 5/17/2013 6:48 AM
  Subject: CN=sage.cfcausa.org, OU=Domain Control Validated, O=sage.cfcausa.org
  Serial: b30864338111
  SubjectAltName: DNS Name=sage.cfcausa.org, DNS Name=www.sage.cfcausa.org
  af 64 77 ec ca 0f 27 34 92 f8 bc 42 e8 71 20 a1 01 38 70 00
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt

  ----------------  Certificate CDP  ----------------
  Expired "Base CRL (0128)" Time: 2
    [0.0] http://crl.godaddy.com/gds1-18.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Expired "OCSP" Time: 0
    [0.0] http://ocsp.godaddy.com/

  --------------------------------
    CRL (null):
    Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
    a6 e3 43 86 48 b5 24 a5 f3 37 b6 b4 c4 f9 36 08 37 2f 20 b7
  Issuance[0] = 2.16.840.1.114413.1.7.23.1 
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 11/15/2006 5:54 PM
  NotAfter: 11/15/2026 5:54 PM
  Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  Serial: 0301
  7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  Verified "Base CRL" Time: 0
    [0.0] http://certificates.godaddy.com/repository/gdroot.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Expired "OCSP" Time: 0
    [0.0] http://ocsp.godaddy.com

  --------------------------------
    CRL (null):
    Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
    71 5e 17 9c e1 9d 21 fb 41 90 1d f9 88 4b 48 48 ba 9c 39 a2
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 6/29/2004 9:06 AM
  NotAfter: 6/29/2034 9:06 AM
  Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Serial: 00
  27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

Exclude leaf cert:
  db c6 89 f7 80 c3 d8 9e 1f 5b b0 7b 17 99 ac 78 96 72 03 3b
Full chain:
  be f4 47 1d e2 f6 27 8f 5b b1 5f b1 8b b9 ab d4 ed be 29 f2
------------------------------------
Verified Issuance Policies:
    2.16.840.1.114413.1.7.23.1
Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

Open in new window

0
Comment
Question by:timbrigham
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:lloydclinton
ID: 35033477
Do you have the GoDaddy intermediate certificate installed also?
0
 
LVL 1

Accepted Solution

by:
timbrigham earned 0 total points
ID: 35033493
Yes. I just found the solution - the bloody time zone wasn't set right on the remote computer, therefore it was always 12-24 hours ahead of when the current crl is valid. Fixed now.
0
 
LVL 3

Expert Comment

by:lloydclinton
ID: 35033506
That would do it.  Glad you have it fixed!
0
 
LVL 1

Author Closing Comment

by:timbrigham
ID: 35081174
Found solution myself.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question