Server certificate is revoked when computer is offline

Tried to run radius server for wifi connection. When client computer tried to connect, sometimes failed. In event log (Capi2 / CryptAPI2) was log entry with "Certificate is revoked", but cert is ok. Client has all required CA cert (root and intermediate). (Sometimes = when client hadn't cached CRL/OSCP responses).

I ran this command (windows): certutil -urlfetch -verify 'certfileFromLE.cer'
Tested computer was offline, and I had cleared its cache (CRL/OCSP) (certutil -urlcache * delete).

It produced this output:
ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)

Issuer:
    CN=R3
    O=Let's Encrypt
    C=US
  Name Hash(sha1): 48dac9a0fb2bd32d4ff0de68d2f567b735f9b3c4
  Name Hash(md5): 0b1ac7de285115241e78aeecda91be88
Subject:
    CN=changed.fqdn.of.radius
  Name Hash(sha1): e474b0683ad6c010256db41fd93cc7f7ef924fe5
  Name Hash(md5): 3f0557b92a3118d161dc9d0bcf250fbb
Cert Serial Number: 04e32a43e52cc7b36f8f6d86e6edded5cf46

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=4
  Issuer: CN=R3, O=Let's Encrypt, C=US
  NotBefore: 3/27/2022 12:41 PM
  NotAfter: 6/25/2022 12:41 PM
  Subject: CN=changed.fqdn.of.radius
  Serial: 04e32a43e52cc7b36f8f6d86e6edded5cf46
  SubjectAltName: DNS Name=changed.second.fqdn.of.radius, DNS Name=changed.fqdn.of.radius
  Cert: f2fb870d6cb75de3410f83de5439676a2297cb0b
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
  ----------------  Certificate AIA  ----------------
  Failed "AIA" Time: 0 (null)
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
    http://r3.i.lencr.org/

  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  Failed "OCSP" Time: 0 (null)
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
    http://r3.o.lencr.org

  --------------------------------
  Issuance[0] = 2.23.140.1.2.1 
  Issuance[1] = 1.3.6.1.4.1.44947.1.1.1 
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  NotBefore: 9/4/2020 2:00 AM
  NotAfter: 9/15/2025 6:00 PM
  Subject: CN=R3, O=Let's Encrypt, C=US
  Serial: 912b084acf0c18a753f6d62e25a75f5a
  Cert: a053375bfe84e8b748782c7cee15827a6af5a405
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Failed "AIA" Time: 0 (null)
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
    http://x1.i.lencr.org/

  ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0 (null)
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
    http://x1.c.lencr.org/

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
  Issuance[0] = 2.23.140.1.2.1 
  Issuance[1] = 1.3.6.1.4.1.44947.1.1.1 
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  NotBefore: 6/4/2015 1:04 PM
  NotAfter: 6/4/2035 1:04 PM
  Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  Serial: 8210cfb0d240e3594463e0bb63828b00
  Cert: cabd2a79a1076a31f21d253635cb039d4329a5e8
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  Chain: 3fc033249c12c02414a6dad23626344b23cadd40
Full chain:
  Chain: f19f4f08afa06b30c6ec39df3d324869ff88a2ab
  Issuer: CN=R3, O=Let's Encrypt, C=US
  NotBefore: 3/27/2022 12:41 PM
  NotAfter: 6/25/2022 12:41 PM
  Subject: CN=changed.fqdn.of.radius
  Serial: 04e32a43e52cc7b36f8f6d86e6edded5cf46
  SubjectAltName: DNS Name=changed.second.fqdn.of.radius, DNS Name=changed.fqdn.of.radius
  Cert: f2fb870d6cb75de3410f83de5439676a2297cb0b
The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)
------------------------------------
Certificate is REVOKED
Cert is an End Entity certificate

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.

When I tested another certificate from DigiCert (CA digicert global root ca), the computer accepted it.
Why is the cert revoked? If I run it while the computer is connected to the internet:

Issuer:
    CN=R3
    O=Let's Encrypt
    C=US
  Name Hash(sha1): 48dac9a0fb2bd32d4ff0de68d2f567b735f9b3c4
  Name Hash(md5): 0b1ac7de285115241e78aeecda91be88
Subject:
    CN=changed.fqdn.of.radius
  Name Hash(sha1): e474b0683ad6c010256db41fd93cc7f7ef924fe5
  Name Hash(md5): 3f0557b92a3118d161dc9d0bcf250fbb
Cert Serial Number: 04e32a43e52cc7b36f8f6d86e6edded5cf46

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 291 Days, 19 Hours, 6 Minutes, 41 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 291 Days, 19 Hours, 6 Minutes, 41 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=R3, O=Let's Encrypt, C=US
  NotBefore: 3/27/2022 12:41 PM
  NotAfter: 6/25/2022 12:41 PM
  Subject: CN=changed.fqdn.of.radius
  Serial: 04e32a43e52cc7b36f8f6d86e6edded5cf46
  SubjectAltName: DNS Name=changed.second.fqdn.of.radius, DNS Name=changed.fqdn.of.radius
  Cert: f2fb870d6cb75de3410f83de5439676a2297cb0b
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 a053375bfe84e8b748782c7cee15827a6af5a405
    [0.0] http://r3.i.lencr.org/

  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0 417b714984df193ec4a1109e3d0ddeb780a4e33e
    [0.0] http://r3.o.lencr.org

  --------------------------------
    CRL (null):
    Issuer: CN=R3, O=Let's Encrypt, C=US
    ThisUpdate: 5/1/2022 1:00 PM
    NextUpdate: 5/8/2022 12:59 PM
    CRL: 6d8a1644290c080da936f64bd7687be02733b4b4
  Issuance[0] = 2.23.140.1.2.1
  Issuance[1] = 1.3.6.1.4.1.44947.1.1.1
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  NotBefore: 9/4/2020 2:00 AM
  NotAfter: 9/15/2025 6:00 PM
  Subject: CN=R3, O=Let's Encrypt, C=US
  Serial: 912b084acf0c18a753f6d62e25a75f5a
  Cert: a053375bfe84e8b748782c7cee15827a6af5a405
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 cabd2a79a1076a31f21d253635cb039d4329a5e8
    [0.0] http://x1.i.lencr.org/

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (65)" Time: 0 eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
    [0.0] http://x1.c.lencr.org/

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 65:
    Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
    ThisUpdate: 7/15/2021 2:00 AM
    NextUpdate: 6/15/2022 1:59 AM
    CRL: eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
  Issuance[0] = 2.23.140.1.2.1
  Issuance[1] = 1.3.6.1.4.1.44947.1.1.1
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  NotBefore: 6/4/2015 1:04 PM
  NotAfter: 6/4/2035 1:04 PM
  Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
  Serial: 8210cfb0d240e3594463e0bb63828b00
  Cert: cabd2a79a1076a31f21d253635cb039d4329a5e8
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

Exclude leaf cert:
  Chain: ec3d4971607d5340ad95b508c9006b81e4fb8256
Full chain:
  Chain: 1492601ac30a8844c0e0fccc2d480e9681838446
------------------------------------
Verified Issuance Policies:
    2.23.140.1.2.1
    1.3.6.1.4.1.44947.1.1.1
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

The certificate isn't revoked: crt.sh | 6422447721

It'just your client that does not like certificates without a CRL, probably (Let's Encrypt leaf certificates only have OCSP). And this is the reason you should use OCSP stapling.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.