Failed Cert validation in client with a restrictive firewall

Hello Support Team,

My app is trying to communicate to a test Server that uses Let's Encrypt cert as one of its certificates. In a less restrictive firewall setup my app can validate successfully the Let's Encrypt Cert.

The problem arises when my app is installed in a windows machine in a restrictive network firewall, I get an "The revocation function was unable to check revocation for the certificate" error from all certificates from the test server. By adding CRL URLs to the firewall of the all certs solved the revocation error for all except for Let's Encrypt cert.

The IT admin already added: http://crl.identrust.com/ to the firewall exemption but still it cannot validate the Let's Encrypt cert.

The IT admin asked specific URLS or IP addresses to put in the firewall exemption for the Let's Encrypt Cert be validated successfully by my application.

I don't have control on the test server that uses the Let's Encrypt cert.

Will you be able to provide URLs or IP address that is necessary to validate the Let's Encrypt Cert?

My problem is somewhat similar with Specific URL’s/IP’s that Let’s Encrypt provide for Certificate Validation but the answer was not clear and working for me.

Hopping for your help on this.

More Power to you all!

2 Likes

That CRL is only used for the intermediate certificates issued by the IdenTrust cross-signed root. When Let's Encrypt (LE) changes to their own root certificate, this CRL won't be useful any longer.

Also, the end leaf certificates are checked by OCSP, which is a different process and an different URL.

You could either also whitelist the OCSP server (see the certificate for the URL) or, even better, use OCSP stapling on your server!

1 Like

Unfortunately I don't have control on the test server. I was able to request IT admin to add the OCSP url (http://ocsp.int-x3.letsencrypt.org) to the firewall whitelist. My app can now validate the Let's Encrypt certificate.

Thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.