Running into an issue with a couple of clients I work with running SSTP VPNs using Let’s Encrypt certs for SSL.
First site is using a 2012 R2 Server (Essentials) Host with a VM also running 2012 R2 Essentials which the team VPN into. These servers are very up to date (updates were run as recently as last night). This site has the CA/ADCS that comes with Essentials.
Second site is running a single physical server with 2012 R2 Standard, no VMs. This server was updated a month ago. This site has no CA/ADCS.
Client machines are mostly Win10 Enterprise, a mix of Creator’s Update and non-Creator’s Update versions.
Both sites encounter the same issue. For SSTP VPN we’ve installed a new Let’s Encrypt SSL Cert. Now we’re getting the following error: “The revocation function was unable to check revocation because the revocation server was offline.”
We first thought this might be something to do with the inbuilt CA (and resultant CA certs) interfering with the CRL store or otherwise. However given it’s happening on the second site with no inbuilt CA, that one seems out of hte picture.
We’ve tried a number of steps to try and diagnose the root cause, from both client machines and server-side.
Client Machines: Cleared CRL Cache. Stripped out and re-setup the VPN connection(Powershell), Full “Network Reset”, Adding the cert itself to the client computer, Testing the client on different networks (WiFi, Cabled Ethernet, 4G)
Serverside: Reissued the cert, checked the revoke list just in case, checked RRAS, CA, ADCS and every other network-related section we could think of.
The only thing we’ve found that seemed to be a workable workaround (and a very temporary one at that, because of all the associated security issues we really don’t want to use this in a production environment) is quite literally disabling the Revocation check in the registry on the client computer.
Has anyone else run into this? Does anyone have any thoughts on why this might be happening, and if it could be something that needs to be changed during the cert creation/etc?
@ahaw021 We were originally using PPTP, however we had some issues with several staff of our clients being stuck when they’re out at (for example) airports using WiFi and being unable to VPN because of older network hardware that causes issues with PPTP connections, so SSTP in general seemed like a better way of getting past this particular roadblock. What would you be suggesting for a secure production environment with VPN?
I know it is a little off-topic but I would probably go with OpenVPN and/or StrongSwan unless there is a specific reason not to. I’ve been building a VPN Network and have done a fair bit of research into this.
Double Click on it and install it. To be certain select the Intermediate Store rather than letting windows choose one. Also install in to the computer not the user trust store.
