Link to home
Start Free TrialLog in
Avatar of usmansultan
usmansultanFlag for Australia

asked on

Exchange 2013 Certificate revocation failure

We are using Exchange 2013, and we have started to receive "Revocation check failed" for SSL certificates, which we purchased from GoDaddy, I have attached screenshot.
I have tried to follow instructions on "https://blogs.technet.microsoft.com/bshukla/2012/04/30/certificate-revocation-checked-failed/" but after step 2 I receive an error;
[SC] CreateService FAILED 1073:

The specified service already exists."

So even I continue after this nothing happens, means I don't see step 4: which is "Locate “Interactive Services Detection” icon blinking in the taskbar and click “view message”

We do use proxy (BlueCoat), which I have taken out, but it still doesn't seem to resolve the issue.

thanks.
Cert.JPG
Avatar of Saif Shaikh
Saif Shaikh
Flag of India image

Kindly contact your third-party vendor gogaddy to rekey the cert since revocation failure means that go daddy has discarded the cert since he feels that you might be using this cert at mutilple places without purchasing the rights.
Avatar of usmansultan

ASKER

Already contacted them, but thats not the solution.
For time being on exchange servers open IE options and from advanced tab disable certificate revocation check and verification options
Please list an article which details the steps, and I am not looking for temp fix, need a permanent solution.
thanks.
I found the settings which you mentioned. but if I tick it off, that wont check for certificate revocation? means certificate is expiring in 3 days, it will still expire.
If certificate is expiring in 3 days, just renew it, trick is only to save revocation failed message to continue any operation which may get halted due to revocation error
That also happens if certificate unable to communicate with r evocation url
When I click on Renew, I get the following screenshot "Renew" to create certificate in .REQ from local CA authority, so I created a certificate request from Exchange server, if you look at the second screenshot "cert1" its sitting there for approval. Should I approve it? its not an SSL certificate.
Cert1.JPG
renew.JPG
The solution is just to renew the certificate again:

steps?
1. Create a new request .req on the exchange server
2. take the csr file and put it on goddady.
3. validate the cert using DNS or txt method
4. take the cert and put it on the certificate using the "complete certificate Request"
5. set scp points using my script   https://gallery.technet.microsoft.com/office/Script-to-configure-the-5a58558b  options -set -urlpath "https://mail.yourdomain.com"
6 on exchange console: Get-exchangecertificate
select thumbprint of the new cert
and use
7. Get-exchangecertificate -thumbprint xxxxvaluexxxx | set-exchangecertificate -services iis,smtp
8 change the binding on iis for the backed to the new cert.

enjoy
You already requested either new certificate or raised renew request?

You need to submit that request file to public CA (GoDaddy in your case) and get new cert from them and complete cert installation from pending request
I know this is a bit way off the solution but looks like this might be helpful if in case it becomes a solution. And yes it's not me who invented it :)

Can you verify the time on DC and exchange server. Not only time verify if the date is correct on both servers.

https://social.technet.microsoft.com/Forums/ie/en-US/4a9acd21-b8ea-4d40-8792-3cbf3621a32b/godaddy-cert-exchange-2013-enterprise-no-proxy-revocation-check-failed?forum=exchangesvrgeneral
Concerned that we may have strayed from your question somewhat.

Firstly, the 'Revocation check failed' error doesn't mean there is anything wrong with the cert, it simply means that Exchange failed to check its status on a published list of valid certs.
The issue is with the check, not with the cert.

Secondly, you've rightly removed proxy settings to see if it helps but that amends the user you are logged in with, not necessarily the user the service is running under. You have attempted to follow the proper path to resolve this as it is usually an issue with the service account that is trying to run the check but step 2 failed!

So if step 2 failed it suggests there has been a previous attempt to setup this 'testsvc' service (which is a little worrying as it means someone's tried doing this before...)

open services.msc and see if a service exists called 'testsvc'. Assuming it does, type 'sc create testsvc' to delete it (from an elevated CMD prompt)

Then try the steps again.
Take a look at Steve's update.

My suggestion is to test your cert using the openssl command line tool.

If you publish your hostname + service being used (IMAP, POP, etc...) then someone can test your cert for you + determine if there's really a problem.

You can do this yourself also, using this command...

imac> echo QUIT | openssl s_client -servername mailstore.davidfavor.com -connect mailstore.davidfavor.com:993 2>&1 | openssl x509 -noout -text | egrep -i -e after -e dns:
            Not After : Feb 15 11:31:45 2019 GMT
                DNS:mailstore.davidfavor.com

Open in new window


You can use -servername to force a specific hostname in a lookup if required.

As Steve suggested, be sure to use a working test tool.

Tip: The definitive standard is the openssl command line tool. If openssl says all's well + another tester says something's broken, always trust openssl over other test tools.
I followed the steps in article I posted in my question, rebooted exchange server but its still showing "Revocation check failed" for GoDaddy cert.
Just want to confirm before I proceed, that getting a new cert from Godaddy is the only option now?
I will submit .CSR file to GoDaddy, which will issue a new certificate and our current certificate will be revoked.
Well, I think that was exactly the steps I gave you in my answer. You can just skip the certificate if it's not "on good shape" you can just do the Re-key and move on.
Don't you already have CSR generated?
your pending request tells that you already generated certificate request

If not, then delete this pending request and again generate new request by existing certificate renewal process
Yes I already have CSR generated, but I haven't submitted it to GoDaddy. So I should follow steps from Jose to submit the CSR and obtain new cert?
@Jose can you please elaborate bit more on your step 8 "change the binding on iis for the backed to the new cert."? thanks
Yes sir, I've already covered in my Exchange blog.

It's here:
https://messaging.faboit.com/2014/12/blank-screen-after-login-via-owa-in.html
Change the binding on the Back End IIS site to match the certificate that you changed.
should I approve the pending request under exchange management console for CSR which I generated before submitting it to godaddy?
Avatar of Vidit Bhardwaj
Vidit Bhardwaj

Revocation checks fails that means your Exchange is not able to reach CRL URL.

This doesn't pose direct impact on your client connectivity or mail flow.

To fix this issue make sure you have allowed Exchange server system account to access those URL you can find in certified properties across the firewall
I have submitted CSR to godaddy, new certificate has been generated, I have placed .p7b file under Intermediate Certification Authorities.
Now should I complete the request which I generated few days back? please refer screenshot.
How can I generate .CER certificate which its asking for?
Thanks
certreq.JPG
CER.JPG
If godaddy sends you certificate, it should be in cer format
Place it on server under c drive and use unc path \\server\c$\cert.cer and complete pending request
Thanks thats applied, but under applied to, it doesn't show IIS and SMTP?
smtp.JPG
I found it under settings, and it asked me to activate the new cert for IIS and SMTP. I said Yes.
New cert expirers in 2020, but even on new cert its showing the same error  Revocation check failed"
I have suggested you to renew cert since current is already about to expire
U have some internet reachability issue, make sure you can communicate to godaddy crl url
You can find one in certificate properties / details tab
Somehow system account unable to download and apply crl
May be you can open full internet access on exchange servers and check if your issue gets resolved
U can run network capture tool to check if traffic is getting blocked towards godaddy

Else until internet problem resolves, as stated earlier turn off revocation checking through IE
GODADDY won't revoke your certificate by doing so, you can confirm with them any time by making call
cert has been renewed and already applied, what are exchange powershell commands to make sure new cert is the active one and is working properly?

thanks
outlook keeps connecting and disconnecting, do I have to restart exchange server?
Check if Microsoft information store service is not crashing on server which will impact the exchange database to go down. Certificate renewal has not to do with outlook disconnect and reconnect.
Guys, renewing the cert does nothing to solve the original question as noted earlier in the thread.
@steve:
check my last response
we are single domain, single forest AD environment.
What I am trying to say is that we have 5 different regions, each have there own exchange server, but we use one SSL certificate for all sites.
One of the sites has reported they are getting the message attached. Basically its there SSL certificate is expired, in my view its still looking at the old cert. Even though I have activated the new one.
How can I fix this?
thanks
SSL.jpg
I had a look at exchange servers for other regions, they don't have the new certificate, so how can I export the certificate which I generated and apply it on other exchange servers?
1. Open MMC and add the Certificate Snap-In for the Local Computer account.
 
 2. Double-Click on the recently imported certificate.

 Note: In Windows Server 2012 it will be the certificate missing the golden key beside it.
 
 3. Select the Details tab.
 
 4. Click on the Serial Number field and copy that string.
 
 Note: You may use CTRL+C, but not right-click and copy.
 
 5. Open up a command prompt session. (cmd.exe aka DOS Prompt).
 
 6. Type: certutil -repairstore my "SerialNumber" (SerialNumber is that which was copied down in step 4.).

 7. After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC).
 
 8. Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: "You have a private key that corresponds to this certificate."
 
 9. Now that the Private Key is attached to the certificate, please proceed to enable Exchange Services.

This solves my issue across sites, as well it fixes the revocation check failed error as well.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.