Server certificate is revoked when computer is offline

Tried to run radius server for wifi connection. When client computer tried to connect, sometimes failed. In event log (Capi2 / CryptAPI2) was log entry with "Certificate is revoked", but cert is ok. Client has all required CA cert (root and intermediate). (Sometimes = when client hadn't cached CRL/OSCP responses).

I ran this command (windows): certutil -urlfetch -verify 'certfileFromLE.cer'
Tested computer was offline, and I had cleared its cache (CRL/OCSP) (certutil -urlcache * delete).

It produced this output:
ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)

Issuer:
    CN=R3
    O=Let's Encrypt
    C=US
  Name Hash(sha1): 48dac9a0fb2bd32d4ff0de68d2f567b735f9b3c4
  Name Hash(md5): 0b1ac7de285115241e78aeecda91be88
Subject:
    CN=changed.fqdn.of.radius
  Name Hash(sha1): e474b0683ad6c010256db41fd93cc7f7ef924fe5
  Name Hash(md5): 3f0557b92a3118d161dc9d0bcf250fbb
Cert Serial Number: 04e32a43e52cc7b36f8f6d86e6edded5cf46

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=4
  Issuer: CN=R3, O=Let's Encrypt, C=US
  NotBefore: 3/27/2022 12:41 PM
  NotAfter: 6/25/2022 12:41 PM
  Subject: CN=changed.fqdn.of.radius
  Serial: 04e32a43e52cc7b36f8f6d86e6edded5cf46
  SubjectAltName: DNS Name=changed.second.fqdn.of.radius, DNS Name=changed.fqdn.of.radius
  Cert: f2fb870d6cb75de3410f83de5439676a2297cb0b
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
  ----------------  Certificate AIA  ----------------
  Failed "AIA" Time: 0 (null)
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
    http://r3.i.lencr.org/

  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  Failed "OCSP" Time: 0 (null)
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
    http://r3.o.lencr.org

  --------------------------------
  Issuance[0] = 2.23.140.1.2.1 
  Issuance[1] = 1.3.6.1.4.1.44947.1.1.1 
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  NotBefore: 9/4/2020 2:00 AM
  NotAfter: 9/15/2025 6:00 PM
  Subject: CN=R3, O=Let's Encrypt, C=US
  Serial: 912b084acf0c18a753f6d62e25a75f5a
  Cert: a053375bfe84e8b748782c7cee15827a6af5a405
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Failed "AIA" Time: 0 (null)
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
    http://x1.i.lencr.org/

  ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0 (null)
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
    http://x1.c.lencr.org/

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
  Issuance[0] = 2.23.140.1.2.1 
  Issuance[1] = 1.3.6.1.4.1.44947.1.1.1 
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  NotBefore: 6/4/2015 1:04 PM
  NotAfter: 6/4/2035 1:04 PM
  Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  Serial: 8210cfb0d240e3594463e0bb63828b00
  Cert: cabd2a79a1076a31f21d253635cb039d4329a5e8
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  Chain: 3fc033249c12c02414a6dad23626344b23cadd40
Full chain:
  Chain: f19f4f08afa06b30c6ec39df3d324869ff88a2ab
  Issuer: CN=R3, O=Let's Encrypt, C=US
  NotBefore: 3/27/2022 12:41 PM
  NotAfter: 6/25/2022 12:41 PM
  Subject: CN=changed.fqdn.of.radius
  Serial: 04e32a43e52cc7b36f8f6d86e6edded5cf46
  SubjectAltName: DNS Name=changed.second.fqdn.of.radius, DNS Name=changed.fqdn.of.radius
  Cert: f2fb870d6cb75de3410f83de5439676a2297cb0b
The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)
------------------------------------
Certificate is REVOKED
Cert is an End Entity certificate

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

When I tested another certificate from DigiCert (CA digicert global root ca), the computer accepted it.
Why is the cert revoked? If I run it while the computer is connected to the internet:

Issuer:
    CN=R3
    O=Let's Encrypt
    C=US
  Name Hash(sha1): 48dac9a0fb2bd32d4ff0de68d2f567b735f9b3c4
  Name Hash(md5): 0b1ac7de285115241e78aeecda91be88
Subject:
    CN=changed.fqdn.of.radius
  Name Hash(sha1): e474b0683ad6c010256db41fd93cc7f7ef924fe5
  Name Hash(md5): 3f0557b92a3118d161dc9d0bcf250fbb
Cert Serial Number: 04e32a43e52cc7b36f8f6d86e6edded5cf46

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 291 Days, 19 Hours, 6 Minutes, 41 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 291 Days, 19 Hours, 6 Minutes, 41 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=R3, O=Let's Encrypt, C=US
  NotBefore: 3/27/2022 12:41 PM
  NotAfter: 6/25/2022 12:41 PM
  Subject: CN=changed.fqdn.of.radius
  Serial: 04e32a43e52cc7b36f8f6d86e6edded5cf46
  SubjectAltName: DNS Name=changed.second.fqdn.of.radius, DNS Name=changed.fqdn.of.radius
  Cert: f2fb870d6cb75de3410f83de5439676a2297cb0b
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 a053375bfe84e8b748782c7cee15827a6af5a405
    [0.0] http://r3.i.lencr.org/

  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0 417b714984df193ec4a1109e3d0ddeb780a4e33e
    [0.0] http://r3.o.lencr.org

  --------------------------------
    CRL (null):
    Issuer: CN=R3, O=Let's Encrypt, C=US
    ThisUpdate: 5/1/2022 1:00 PM
    NextUpdate: 5/8/2022 12:59 PM
    CRL: 6d8a1644290c080da936f64bd7687be02733b4b4
  Issuance[0] = 2.23.140.1.2.1
  Issuance[1] = 1.3.6.1.4.1.44947.1.1.1
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  NotBefore: 9/4/2020 2:00 AM
  NotAfter: 9/15/2025 6:00 PM
  Subject: CN=R3, O=Let's Encrypt, C=US
  Serial: 912b084acf0c18a753f6d62e25a75f5a
  Cert: a053375bfe84e8b748782c7cee15827a6af5a405
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 cabd2a79a1076a31f21d253635cb039d4329a5e8
    [0.0] http://x1.i.lencr.org/

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (65)" Time: 0 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
    [0.0] http://x1.c.lencr.org/

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 65:
    Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
    ThisUpdate: 7/15/2021 2:00 AM
    NextUpdate: 6/15/2022 1:59 AM
    CRL: eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
  Issuance[0] = 2.23.140.1.2.1
  Issuance[1] = 1.3.6.1.4.1.44947.1.1.1
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  NotBefore: 6/4/2015 1:04 PM
  NotAfter: 6/4/2035 1:04 PM
  Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  Serial: 8210cfb0d240e3594463e0bb63828b00
  Cert: cabd2a79a1076a31f21d253635cb039d4329a5e8
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  Chain: ec3d4971607d5340ad95b508c9006b81e4fb8256
Full chain:
  Chain: 1492601ac30a8844c0e0fccc2d480e9681838446
------------------------------------
Verified Issuance Policies:
    2.23.140.1.2.1
    1.3.6.1.4.1.44947.1.1.1
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

The certificate isn't revoked: crt.sh | 6422447721

It'just your client that does not like certificates without a CRL, probably (Let's Encrypt leaf certificates only have OCSP). And this is the reason you should use OCSP stapling.

3 Likes