Let's Encrypt and SSTP VPN

Hi Guys,

Running into an issue with a couple of clients I work with running SSTP VPNs using Let’s Encrypt certs for SSL.

  • First site is using a 2012 R2 Server (Essentials) Host with a VM also running 2012 R2 Essentials which the team VPN into. These servers are very up to date (updates were run as recently as last night). This site has the CA/ADCS that comes with Essentials.
  • Second site is running a single physical server with 2012 R2 Standard, no VMs. This server was updated a month ago. This site has no CA/ADCS.
  • Client machines are mostly Win10 Enterprise, a mix of Creator’s Update and non-Creator’s Update versions.

Both sites encounter the same issue. For SSTP VPN we’ve installed a new Let’s Encrypt SSL Cert. Now we’re getting the following error: “The revocation function was unable to check revocation because the revocation server was offline.”

We first thought this might be something to do with the inbuilt CA (and resultant CA certs) interfering with the CRL store or otherwise. However given it’s happening on the second site with no inbuilt CA, that one seems out of hte picture.

We’ve tried a number of steps to try and diagnose the root cause, from both client machines and server-side.

  • Client Machines: Cleared CRL Cache. Stripped out and re-setup the VPN connection(Powershell), Full “Network Reset”, Adding the cert itself to the client computer, Testing the client on different networks (WiFi, Cabled Ethernet, 4G)

  • Serverside: Reissued the cert, checked the revoke list just in case, checked RRAS, CA, ADCS and every other network-related section we could think of.

The only thing we’ve found that seemed to be a workable workaround (and a very temporary one at that, because of all the associated security issues we really don’t want to use this in a production environment) is quite literally disabling the Revocation check in the registry on the client computer.

Has anyone else run into this? Does anyone have any thoughts on why this might be happening, and if it could be something that needs to be changed during the cert creation/etc?

Hi @GM_VoidSoul

I can send you a really good brief on SSTP VPN but first of all why are you using SSTP?

Just curious. I have configured several very complex environments and for VPN techs SSTP is not my usual go to.

Andrei

@ahaw021 We were originally using PPTP, however we had some issues with several staff of our clients being stuck when they’re out at (for example) airports using WiFi and being unable to VPN because of older network hardware that causes issues with PPTP connections, so SSTP in general seemed like a better way of getting past this particular roadblock. What would you be suggesting for a secure production environment with VPN?

I know it is a little off-topic but I would probably go with OpenVPN and/or StrongSwan unless there is a specific reason not to. I’ve been building a VPN Network and have done a fair bit of research into this.

I just want to say that nobody should ever be using PPTP. It’s completely broken!

OpenVPN and IPsec are OK. Anything for which you don’t have the source code probably isn’t. Microsoft isn’t exactly known for security.

As for the problem, could it be related to OCSP and issuance outage, 2017-05-19 ?

Hi @GM_VoidSoul

I believe your challenge is that you do not have the Let’s Encrypt Intermediate installed on the RRAS server.

You can verify if this is the case by using the MMC plugin

Fixing this should be quite easy:

Download the Intermediate Certificate from: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

Rename to .cer

Double Click on it and install it. To be certain select the Intermediate Store rather than letting windows choose one. Also install in to the computer not the user trust store.

Once sucessful you should see something like this:

I believe the the CRL (Certificate Revocation List) URL is in the Intermediate Certificate not the Leaf Certificate

@schoen - can you confirm this?

I ran the following checks

openssl x509 -in names of certs -noout -text

Intermediate had this extension:

        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

Leaf Cert Did not

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.