Certificate Revocation Lookup Failure Oct 19 2021

Help
1

We're seeing Certificate Revocation Lookup Failure errors all of the sudden today.

We're seeing the problem occurring across dozens of LetsEncrypt certs hosted in multiple AWS regions and accessed from all over the USA.

I'm guessing there's a problem with the CRL/OCSP infrastructure. Anyone else seeing problems?

2

NetCraft doesn't show anything weird: Performance Report for r3.o.lencr.org | Netcraft

3

Are you seeing these CRL failures for this certificate?

ISRG Root X1 signed by DST Root CA X3

If so, that's expected since the CRL for DST Root CA X3 is no longer operational.

4

No, we already went through the Root expiration fiasco. These are all certs that were deleted and issued brand new on Sept 29 2021, and this issue just started today.

Cert Chain:

R3

Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
RSA 2048 bits (e 65537) / SHA256withRSA

ISRG Root X1   Self-signed

Fingerprint SHA256: 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
RSA 4096 bits (e 65537) / SHA256withRSA

5

Could you please specify what exact issue you're having? Error messages? Details? Anything?

6

Office 365 authentication through ADFS Web Application Proxy and also RDP Gateway connections using Let's Encrypt cert are throwing warnings:
image

7

And what's the content of "View Certificate"?

8

It's not a cert issue, just started having problems today.
Have one right now where a colleague is seeing an issue but I'm not.

Looks like it might be a DNS issue with Quad9 resolving OCSP servers.

[1]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://r3.o.lencr.org
[2]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://r3.i.lencr.org/

image
image850×90 5.79 KB

9

Yep that's the issue.

image
image1662×1273 118 KB

10

I opened a ticket with Quad9 and it looks like they have resolved the issue.

Zachary (Quad9) 
Oct 19, 2021, 19:04 UTC 
Hello,

Thanks for contacting Quad9 support.

We have added *.lencr.org to our permanent allow list. We are pushing the update to all global servers now. If it's not already unblocked for you, it should be within the next 10 minutes.

We apologize for any inconvenience caused.

Best regards,
Zachary
11

I wonder why Mastercard flagged this domain as suspicious. :frowning:

Thank you for getting to the bottom of this issue, @RobBiddle.