NET::ERR_CERT_REVOKE response, but only from two PCs
I have a Synology NAS that is secured using a Go Daddy SSL. It has been working fine for months and the certificate doesn't expire until 2019.
The Problem:
I have one user who receives the NET::ERR_CERT_REVOKE Revoked Certificate response trying to access the site from either Chrome or Edge browsers. He can access the site only from IE if I disable the 'Server Revocation Check'. He has two laptops and it is happening on both.
Here's the kicker:
All other users can access the site without error from any computers and mobile devices. I have tested this from multiple computers located all over the world and it always works as it should.
What I've done so far:
I verified the validity of the cert on both GoDaddy's site and the NAS.
I ran Full Scans of his computer using both AVG and Malwarebyes and they came back clean.
I tried uninstalling Chrome and re-installing.
I tried updating the CRLSet Component of Chrome.
I tried manually importing the certificate and private key to his Private Store on the computer.
I tried looking at blogs on this topic, but most don't really apply to this specific scenario.
Two Possibly Unrelated Observations
This first happened after both computers were at his home and I wonder if his home network might be involved, though I don't see how exactly.
He is the only domain users who claims that Outlook periodically prompts him for a password for his Exchange account. This also seems to be happening while at home. I have never been able to reproduce this issue. Whenever I remote-in to his computer and bounce Outlook it connects without issue.
Any suggestions would be appreciated?
Thanks in advance,
Brian
The Problem:
I have one user who receives the NET::ERR_CERT_REVOKE Revoked Certificate response trying to access the site from either Chrome or Edge browsers. He can access the site only from IE if I disable the 'Server Revocation Check'. He has two laptops and it is happening on both.
Here's the kicker:
All other users can access the site without error from any computers and mobile devices. I have tested this from multiple computers located all over the world and it always works as it should.
What I've done so far:
I verified the validity of the cert on both GoDaddy's site and the NAS.
I ran Full Scans of his computer using both AVG and Malwarebyes and they came back clean.
I tried uninstalling Chrome and re-installing.
I tried updating the CRLSet Component of Chrome.
I tried manually importing the certificate and private key to his Private Store on the computer.
I tried looking at blogs on this topic, but most don't really apply to this specific scenario.
Two Possibly Unrelated Observations
This first happened after both computers were at his home and I wonder if his home network might be involved, though I don't see how exactly.
He is the only domain users who claims that Outlook periodically prompts him for a password for his Exchange account. This also seems to be happening while at home. I have never been able to reproduce this issue. Whenever I remote-in to his computer and bounce Outlook it connects without issue.
Any suggestions would be appreciated?
Thanks in advance,
Brian
Jackie Man
Timezone difference?
Are the computer that are having the problems running the most recent versions of Firefox and Chrome? Are they fully patched using Windows Update?
Since the cert is supposed to be valid until 2019 I would not expect a timezone difference to cause this problem, maybe the time. Like the computer have had their years changed to 2019 or 2020.
The other possibility is the signing certs could have issues. Get a list of all the certs in the signing chain and then look at the local CA store on the computers having problems. It's possible that they have old versions of the signing certs that have expired.
IE uses the Windows CA store, Firefox and Chrome use their own CA stores.
Since the cert is supposed to be valid until 2019 I would not expect a timezone difference to cause this problem, maybe the time. Like the computer have had their years changed to 2019 or 2020.
The other possibility is the signing certs could have issues. Get a list of all the certs in the signing chain and then look at the local CA store on the computers having problems. It's possible that they have old versions of the signing certs that have expired.
IE uses the Windows CA store, Firefox and Chrome use their own CA stores.
ASKER
Thanks for the quick response.
Time and zone are correct.
I reset Chrome and Internet Settings to defaults.
During my testing, I was able to login to a new Windows Profile on the user's machine and connect to the site without issue, so I assume it is a problem with that user's certificate store. I opened the MMC for his account certificates and deleted the existing site cert but not the intermediate or Third-Party Root certs for GoDaddy. This doesn't seem to have helped.
Strangely, I can access the OWA site at the same location that is also employing a GoDaddy cert without issue.
Any other suggestions?
Thanks,
Time and zone are correct.
I reset Chrome and Internet Settings to defaults.
During my testing, I was able to login to a new Windows Profile on the user's machine and connect to the site without issue, so I assume it is a problem with that user's certificate store. I opened the MMC for his account certificates and deleted the existing site cert but not the intermediate or Third-Party Root certs for GoDaddy. This doesn't seem to have helped.
Strangely, I can access the OWA site at the same location that is also employing a GoDaddy cert without issue.
Any other suggestions?
Thanks,
Ah, just re-read your original post and the answer is there.
"He can access the site only from IE if I disable the 'Server Revocation Check'."
Server Revocation Check is when a client software, the browser in this case, check to verify that a certificate has not been revoked by getting a CRL. A revoked certificate is one that looks like it should still be valid, but for some reason has been revoked. Normally because a private key has been stolen or compromised in some other way.
Here is a description of this process, which all browsers do. IE allows you to disable this function, not sure if other browsers allow this.
https://blogs.msdn.microsoft.com/ieinternals/2011/04/07/understanding-certificate-revocation-checks/
"He can access the site only from IE if I disable the 'Server Revocation Check'."
Server Revocation Check is when a client software, the browser in this case, check to verify that a certificate has not been revoked by getting a CRL. A revoked certificate is one that looks like it should still be valid, but for some reason has been revoked. Normally because a private key has been stolen or compromised in some other way.
Here is a description of this process, which all browsers do. IE allows you to disable this function, not sure if other browsers allow this.
https://blogs.msdn.microsoft.com/ieinternals/2011/04/07/understanding-certificate-revocation-checks/
ASKER
Thanks giltjr,
That is an interesting article, but I don't see how it helps me to correct this issue.
There is actually no problem with the cert and the site is available from everywhere except from this computer while logged into this specific profile.
Could this be a product of his home network not allowing access to the Certificate Issuer in a timely manner? But then it works logged in as another user on the machine.
This feels like an infection of some kind, but the scans came up with nothing...
Thanks again.
That is an interesting article, but I don't see how it helps me to correct this issue.
There is actually no problem with the cert and the site is available from everywhere except from this computer while logged into this specific profile.
Could this be a product of his home network not allowing access to the Certificate Issuer in a timely manner? But then it works logged in as another user on the machine.
This feels like an infection of some kind, but the scans came up with nothing...
Thanks again.
If the CRL really has the certificate as being revoked, then there is nothing you can do about it other than figure out why.
However, I would suggest running a packet trace from his computer (I use Wireshark) to see what is going on.
I'm not sure what happens when you request a CRL and it does not return, or does not return fast enough.
Here are instructions to enable Certificate Revocation Chrome. You can use them to verify the status of CR check in his Chrome (and yours):
https://scotthelme.co.uk/certificate-revocation-google-chrome/
You may want to see if your browser of choice is setup to check for certificates being revoked or not.
However, I would suggest running a packet trace from his computer (I use Wireshark) to see what is going on.
I'm not sure what happens when you request a CRL and it does not return, or does not return fast enough.
Here are instructions to enable Certificate Revocation Chrome. You can use them to verify the status of CR check in his Chrome (and yours):
https://scotthelme.co.uk/certificate-revocation-google-chrome/
You may want to see if your browser of choice is setup to check for certificates being revoked or not.
ASKER
Thanks again giltjr,
Clearly there is great value to enabling Revokation Detection, ad my intent in disabling it was only for testing purposes. Just trying to figure out this is only happening to one person on two computers that otherwise permit access under different profiles and how to return access.
I'm sure I could correct this by assigning a new computer from inventory, but I want to understand why.
Thanks again for your help. I will leave this thread open for a while in case I discover something worth sharing.
Clearly there is great value to enabling Revokation Detection, ad my intent in disabling it was only for testing purposes. Just trying to figure out this is only happening to one person on two computers that otherwise permit access under different profiles and how to return access.
I'm sure I could correct this by assigning a new computer from inventory, but I want to understand why.
Thanks again for your help. I will leave this thread open for a while in case I discover something worth sharing.
Um, interesting. If he is getting that error with Chrome, then it is possible he has a old version. Doing some more research Google at some point (about 2 years ago) decided to not only make CR disabled by default, they don't even let you enabled through the GUI. It is a registry hack now.
I know at one time the default for IE was to check so I am assuming that MS made that the default for Edge. Firefox seems to make checking the default.
I know at one time the default for IE was to check so I am assuming that MS made that the default for Edge. Firefox seems to make checking the default.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to Giltjr for your time.
Hello
Thanks four yours comments/solution. We just had same thing happening and we found another problems. Our intermediate CA was rebuilded, and we deployed the wrong one, and all was working for 2-3 yaers. Now we found that old one generate this error. It's very tricky because the certificate is NOK in Edge, but OK for Windows (that say certificate is valid).
So we try to correct this issue on our domain now.
Thanks
Dan
Thanks four yours comments/solution. We just had same thing happening and we found another problems. Our intermediate CA was rebuilded, and we deployed the wrong one, and all was working for 2-3 yaers. Now we found that old one generate this error. It's very tricky because the certificate is NOK in Edge, but OK for Windows (that say certificate is valid).
So we try to correct this issue on our domain now.
Thanks
Dan