End User - Certutil Sort-Of Error Validating Cert to r13

Help
1

My domain is: www.lavishsoft.com (I do not own it, I am trying to access it)

I ran this command: certutil -f -urlfetch -verify "path_to_downloaded_certificate.crt"

It produced this output:

Issuer:
    CN=R13
    O=Let's Encrypt
    C=US
  Name Hash(sha1): 729bed1a6c02bea399c7a24c45e3dea05345d87e
  Name Hash(md5): 654279274e987144c4fc0b5fc11d283f
Subject:
    CN=www.lavishsoft.com
  Name Hash(sha1): e73a3c30d3840d19e1963ef0e0fa19bfb4fb6664
  Name Hash(md5): 0c3a2526da58efa29dc5ccdbb883f180
Cert Serial Number: 0548f4bf932e6ae710d28509b48d7f716ad0

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=R13, O=Let's Encrypt, C=US
  NotBefore: 11/19/2025 7:53 AM
  NotAfter: 2/17/2026 7:53 AM
  Subject: CN=www.lavishsoft.com
  Serial: 0548f4bf932e6ae710d28509b48d7f716ad0
  SubjectAltName: DNS Name=www.lavishsoft.com
  Cert: f6b54ff7a412f73e78fa186fe91fbe82637164ea
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 22ff89586561fc2d52f77491e9f1eff1b80be33e
    [0.0] http://r13.i.lencr.org/

  ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0 (null)
    Error retrieving URL: The connection with the server was terminated abnormally 0x80072efe (WinHttp: 12030 ERROR_WINHTTP_CONNECTION_ERROR)
    http://r13.c.lencr.org/81.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 187ed82fb3ea3ded:
    Issuer: CN=R13, O=Let's Encrypt, C=US
    ThisUpdate: 12/7/2025 12:36 AM
    NextUpdate: 12/16/2025 12:36 AM
    CRL: b8cc6c95f9b2b0334cd589f227d2229f7d06b0ab
  Issuance[0] = 2.23.140.1.2.1
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  NotBefore: 3/12/2024 7:00 PM
  NotAfter: 3/12/2027 6:59 PM
  Subject: CN=R13, O=Let's Encrypt, C=US
  Serial: 5a00f212d8d4b480f3924157ea298305
  Cert: 22ff89586561fc2d52f77491e9f1eff1b80be33e
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 cabd2a79a1076a31f21d253635cb039d4329a5e8
    [0.0] http://x1.i.lencr.org/

  ----------------  Certificate CDP  ----------------
  No IDP Intersection "Base CRL (6a)" Time: 0 b02330861433775b10e7ae74557911aa623c7fca
    [0.0] http://x1.c.lencr.org/

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 6a:
    Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
    ThisUpdate: 9/2/2025 7:00 PM
    NextUpdate: 8/2/2026 6:59 PM
    CRL: b02330861433775b10e7ae74557911aa623c7fca
  Issuance[0] = 2.23.140.1.2.1
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  NotBefore: 6/4/2015 6:04 AM
  NotAfter: 6/4/2035 6:04 AM
  Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  Serial: 8210cfb0d240e3594463e0bb63828b00
  Cert: cabd2a79a1076a31f21d253635cb039d4329a5e8
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  Chain: 025db2706415d837f421ab9aeccc1c266785747b
Full chain:
  Chain: b6306cd4bbcb8ffc00412d3cb222337ee0aa672b
------------------------------------
Verified Issuance Policies:
    2.23.140.1.2.1
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

My web server is (include version): N/A

The operating system my web server runs on is (include version): Windows 11 (Home machine)

I can login to a root shell on my machine (yes or no, or I don't know): no - I don't own the server, and that is not the problem.

I posted a similar thread back in July. At that time, it seemed like the issue was Firewall.
But, I am experiencing the same symptoms, and disabling the firewall changes nothing.
One difference I observed - the section header shows no error ...
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0

And at the bottom, it has the revocation check succeeded. But, the application I am trying to use still fails making its internal call back to the lavishsoft domain. And although dwErrorStatus = 0, as you see above, there is still a complaint in the CDP section trying to connect to r13.

2

I see that but am not familiar enough with certutil to know the reasons. That is Let's Encrypt's CRL for revocation data. Right now that URL works. Perhaps there was a temporary problem or perhaps your firewall is blocking outbound requests on port 80.

But, I doubt whatever the reason is that it is causing your client a problem. Checking CRL revocation data takes special care and is a distinct error.

I suggest ignoring the certutil results and focus on exactly the problem your application has. What is that error? Does your app use the same domain name for its callback? Does your app specify the port for the connection?

There is nothing wrong with the cert used by www.lavishsoft.com

4 Likes
3

A little more on this ongoing saga for me (perhaps it will help someone else).

This problem resurfaced again. I experimented with changing my DNS to google's ... no effect. Then I started trying to curl to the revocation server (http://r13.c.lencr.org/81.crl) - observed those requests were also failing. Added verbose, so the command I was running was

curl -v http://r13.c.lencr.org/81.crl

This failed with a curl: (56) connection reset
... but also showed me that it was trying to use an ipv6 address. Adding -ipv4 to the command worked! So figured out disabling ipv6 for the adapter, and all seems to be working for me. Likely there is some kind of problem with my provider (temporarily disabling firewall also did not address the problem) and ipv6? Uncertain.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.