Unable to check certificate revocation

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: remindo.net

I ran this command:

It produced this output:

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2019 Standard

My hosting provider, if applicable, is: nfoservers.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Using WinACME - should be latest version - downloaded only days ago

I have a .Net Core MVC application where emails are used to send reports to clients, etc. The client is using Outlook.com to host their email. I've created a test site on a different server than the production site and I'm using remindo.net as the domain (I needed one to get the certificate and I had this one unused, so I'm borrowing it for the testing). When the site attempts to send email, an error is generated that says "An error occurred while attempting to establish an SSL or TLS connection. The server's SSL certificate could not be validated for the following reasons: The server certificate has the following errors: The revocation function was unable to check revocation for the certificate." The site is showing as secure. I've installed OCSP Stapling, though I'm not 100% sure that is working properly. I'm at a loss here as to what's going on and this is an area I'm unfamiliar with, so whatever answers are provided, please be detailed.

Here are the results of some commands I've run (I've removed ETag, because I really don't know if that's something that's ok to show publicly).

C:\Windows\system32>curl -I http://x1.c.lencr.org
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Fri, 04 Aug 2023 20:57:55 GMT
ETag:
Cache-Control: max-age=3600
Expires: Mon, 09 Oct 2023 00:01:45 GMT
Date: Sun, 08 Oct 2023 23:01:45 GMT
Connection: keep-alive

C:\Windows\system32>curl -I http://r3.o.lencr.org
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=20170
Expires: Mon, 09 Oct 2023 04:38:19 GMT
Date: Sun, 08 Oct 2023 23:02:09 GMT
Connection: keep-alive

C:\Windows\system32>curl -v https://acme-v02.api.letsencrypt.org

• Trying 172.65.32.248:443...
• Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
• schannel: disabled automatic use of client certificate
• ALPN: offers http/1.1
• schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
• Closing connection 0
  curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Any help would be appreciated.

Hi @GTGeek88, and welcome to the LE community forum

I would try adding to the curl command:
-k
OR
--ssl-no-revoke

...which would only test stuff out, but wouldn't actually fix anything..

You think this has a fix?
[one we can easily find - one that this forum is aligned with]

I hope it has a fix!

hmm...

Have you tried applying all the Windows Updates?

Interesting, I didn't know curl on windows was built against schannel instead of openssl, I normally use the linux one in WSL.

This article implies the problem is that the windows installed version of curl is outdated but I suspect a different problem

Is your outgoing https proxied? I suspect you have a gateway or anti-virus/malware scanner that offers it's own certificates instead of the remote one (MITM), more like this: github - Git - The revocation function was unable to check revocation for the certificate - Stack Overflow

Windows Updates. Is that just a SWAG?

I'll check out the articles. Thanks. The outgoing HTTPS is not proxied. I do have endpoint protection, so I'll look into that. Thanks.

Actually no, you can easily block windows updates just by blocking outgoing http/https in windows firewall etc., but it can also be blocked by group policy as often organizations will aggregate approved updates onto a local update server (WSUS or others) and control their deployment. Separately there is the problem of root certificate updates, which can also be blocked, sometimes mistakenly.

I did the updates on the server. I installed the latest version of curl on the server. Still no relief from this problem. As for the curl commands I put in my original post, where should those be run from? The server on which the certificate resides, I would assume. I just can't find a lot of info or help on this issue. Makes me want to abandon this LE solution and try with some other CA.

Isn't that a bad thing?

I did check the endpoint protection software and added the LE servers (based on the URLs in the three curl commands from my original post) to the exceptions list (both HTTP and HTTPS) and that changed what I was getting from the "curl -v https://acme-v02.api.letsencrypt.org" command

What I now get:

*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET / HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 19 Oct 2023 18:38:11 GMT
< Content-Type: text/html
< Content-Length: 1540
< Last-Modified: Thu, 23 Jun 2022 21:17:41 GMT
< Connection: keep-alive
< ETag: "62b4d875-604"
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
<
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Boulder: The Let's Encrypt CA</title>

  <style type="text/css">
    header { display: flex; max-height: 30vh; flex-wrap: wrap; margin-bottom: 10vh; }
    header img { display: flex; max-height: 20vh; align-content: flex-end; margin-right: 20px; }
  </style>
</head>

<body>
  <header>
    <section>
      <img src="/static/images/LE-Logo-LockOnly.svg"/>
    </section>
    <section>
      <h1>Boulder<br>
      <small>The Let's Encrypt CA</small></h1>
    </section>
  </header>

  <section>
    <p>This is an <a href="https://tools.ietf.org/html/rfc8555">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</p>
    <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/docs"><tt>https://letsencrypt.org/docs</tt></a> for help.</p>
    <p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v02.api.letsencrypt.org/directory"><tt>https://acme-v02.api.letsencrypt.org/directory</a></tt>.</p>
  </section>

  <footer>
      <p>
        <a href="https://letsencrypt.status.io" title="Status">Service Status (letsencrypt.status.io)</a> |
        <a href="https://twitter.com/letsencrypt" title="Twitter">Let's Encrypt Twitter</a>
      </p>
  </footer>

</body>
</html>
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

That seems like an improvement.

No.
LE doesn't use client certificates for their API endpoints.

I did notice this in the Windows Event Viewer:

Name resolution for the name x1.c.lencr.org timed out after none of the configured DNS servers responded.

Doesn't sound good.

What is/are the name server(s) being used?

How do I determine that?

ipconfig /all

Look for entries labeled:
DNS Servers . . . . . . . . . . . :