Solved

NET::ERR_CERT_REVOKE response, but only from two PCs

Posted on 2016-07-29
10
341 Views
Last Modified: 2016-09-01
I have a Synology NAS that is secured using a Go Daddy SSL. It has been working fine for months and the certificate doesn't expire until 2019.

The Problem:
I have one user who receives the NET::ERR_CERT_REVOKE Revoked Certificate response trying to access the site from either Chrome or Edge browsers. He can access the site only from IE if I disable the 'Server Revocation Check'. He has two laptops and it is happening on both.

Here's the kicker:
All other users can access the site without error from any computers and mobile devices. I have tested this from multiple computers located all over the world and it always works as it should.

What I've done so far:
I verified the validity of the cert on both GoDaddy's site and the NAS.
I ran Full Scans of his computer using both AVG and Malwarebyes and they came back clean.
I tried uninstalling Chrome and re-installing.
I tried updating the CRLSet Component of Chrome.
I tried manually importing the certificate and private key to his Private Store on the computer.
I tried looking at blogs on this topic, but most don't really apply to this specific scenario.

Two Possibly Unrelated Observations
This first happened after both computers were at his home and I wonder if his home network might be involved, though I don't see how exactly.
He is the only domain users who claims that Outlook periodically prompts him for a password for his Exchange account. This also seems to be happening while at home. I have never been able to reproduce this issue. Whenever I remote-in to his computer and bounce Outlook it connects without issue.

Any suggestions would be appreciated?

Thanks in advance,
Brian
0
Comment
Question by:BMaenpaa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 46

Expert Comment

by:Jackie Man
ID: 41735685
Timezone difference?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41735697
Are the computer that are having the problems running the most recent versions of Firefox and Chrome?  Are they fully patched using Windows Update?

Since the cert is supposed to be valid until 2019 I would not expect a timezone difference to cause this problem, maybe the time.  Like the computer have had their years changed to 2019 or 2020.

The other possibility is the signing certs could have issues.  Get a list of all the certs in the signing  chain and then look at the local CA store on the computers having problems.  It's possible that they have old versions of the signing certs that have expired.

IE uses the Windows CA store, Firefox and Chrome use their own CA stores.
0
 

Author Comment

by:BMaenpaa
ID: 41739379
Thanks for the quick response.
Time and zone are correct.
I reset Chrome and Internet Settings to defaults.
During my testing, I was able to login to a new Windows Profile on the user's machine and connect to the site without issue, so I assume it is a problem with that user's certificate store. I opened the MMC for his account certificates and deleted the existing site cert but not the intermediate or Third-Party Root certs for GoDaddy. This doesn't seem to have helped.
Strangely, I can access the OWA site at the same location that is also employing a GoDaddy cert without issue.
Any other suggestions?
Thanks,
0
[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

 
LVL 57

Expert Comment

by:giltjr
ID: 41739412
Ah, just re-read your original post and the answer is there.  

"He can access the site only from IE if I disable the 'Server Revocation Check'."

Server Revocation Check is when a client software, the browser in this case, check to verify that a certificate has not been revoked by getting a CRL.  A revoked certificate is one that looks like it should still be valid, but for some reason has been revoked.  Normally because a private key has been stolen or compromised in some other way.

Here is a description of this process, which all browsers do.  IE allows you to disable this function, not sure if other browsers allow this.

https://blogs.msdn.microsoft.com/ieinternals/2011/04/07/understanding-certificate-revocation-checks/
0
 

Author Comment

by:BMaenpaa
ID: 41739498
Thanks giltjr,
That is an interesting article, but I don't see how it helps me to correct this issue.
There is actually no problem with the cert and the site is available from everywhere except from this computer while logged into this specific profile.
Could this be a product of his home network not allowing access to the Certificate Issuer in a timely manner? But then it works logged in as another user on the machine.
This feels like an infection of some kind, but the scans came up with nothing...
Thanks again.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41739765
If the CRL really has the certificate as being revoked, then there is nothing you can do about it other than figure out why.

However, I would suggest running a packet trace from his computer (I use Wireshark) to see what is going on.

I'm not sure what happens when you request a CRL and it does not return, or does not return fast enough.

Here are instructions to enable Certificate Revocation Chrome.  You can use them to verify the status of CR check in his Chrome (and yours):

https://scotthelme.co.uk/certificate-revocation-google-chrome/

You may want to see if your browser of choice is setup to check for certificates being revoked or not.
0
 

Author Comment

by:BMaenpaa
ID: 41739771
Thanks again giltjr,

Clearly there is great value to enabling Revokation Detection, ad my intent in disabling it was only for testing purposes. Just trying to figure out this is only happening to one person on two computers that otherwise permit access under different profiles and how to return access.
I'm sure I could correct this by assigning a new computer from inventory, but I want to understand why.
Thanks again for your help. I will leave this thread open for a while in case I discover something worth sharing.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41739783
Um, interesting.  If he is getting that error with Chrome, then it is possible he has a old version.   Doing some more research Google at some point (about 2 years ago) decided to not only make CR disabled by default, they don't even let you enabled through the GUI.  It is a registry hack now.

I know at one time the default for IE was to check so I am assuming that MS made that the default for Edge.  Firefox seems to make checking the default.
0
 

Accepted Solution

by:
BMaenpaa earned 0 total points
ID: 41773073
The only solution was actually a workaround. Though removing Chrome and all instances of Chrome folder didn't work, I found deleting the entire profile from the machine and re-creating solved the issue.
I think this may have been some type of infection/exploit that the scanners couldn't identify.
0
 

Author Closing Comment

by:BMaenpaa
ID: 41779495
Thanks to Giltjr for your time.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Bada platform is becoming more and more famous this days and people talking about same. Some friends included those who have bada OS mobile asked me "what is bada?"and "what its features?". That encouraged me to research and write this article. [st…
I had to do a bit of research to find the answer to this question so I thought I'd share my results.  Due to our outdated mainframe systems, we need to downgrade IE9 to IE8 in order to stay compatible.  We also needed to downgrade Java.  In order to…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question