The revocation function was unable to check revocation because the revocation server was offline on application hosted on IIS

Adrian Adamiak 15 Reputation points Microsoft Vendor
2023-04-13T06:37:56.93+00:00

I have a very specific issue with my application. Currently, I host the .net core web service on the IIS on the machine installed in the domain. We use Windows Server 2019. The application connects to the service from our domain but the connection is checked and available. The firewall rules were set to enable it. The service has enabled revocation chain validation for the SSL domain certificate of the given service. I added additional tracing to my app and I see that it fails for each certificate in the chain with the error "The revocation function was unable to check revocation because the revocation server was offline". I checked the OCSP and CLR URLs with telnet and they are accessible by the given user. My service is installed on the application pool authorized by the identity from the domain. The user is not added to the machine administrators but its added to the groups:

  • Certificate Service DCOM Access (added for testing but didn't help)
  • Cryptographic Operators
  • IIS_IUSRS

I see that the root certificate is installed in the LocalComputer/Trusted Root Certification Authorities and the intermediate certificate is installed in the LocalComputer\Intermediate Certification Authorities. The domain certificate contains the OCSP and CLR URLs. Both are accessible to the user. The intermediate certificate contains the same CLR URL. I used certutil to test CLR validation and it works correctly. (Logged in powershell as the given user)

certutil -URL "url"

User's image

    certutl -verify "ssl.cer"

User's image

I used the OpenSSL ocsp tool to test OCSP validation and it passed with OCSP Response Status: successful.
(https://akshayranganath.github.io/OCSP-Validation-With-Openssl/)

I thought it could be the SSL version limitations but the OCSP and CLR use the unencrypted HTTP protocol, What is important when I check the disk cache with

certutil -v -urlcache

I don't see the cache for the given clrs in the location C:\Users{user}\AppData\LocalLow\Microsoft\CryptnetUrlCache. Although when I retrieve CLR with the command

certutil -URL "url" 

the cache entry is created and the service can validate the certificate revocation for some time. When I restart the IIS service, the error disappears too but after some time (about 3 hours) I can see the error again. What is important, on different machines it works. Only the difference is that the user is added to the administrators. I can't find any documentation on whether it's required and my preference is to not give admin privileges to IIS users.

What I noticed additionally, when I run PowerShell session as the given user, the problem disappears for 3 hours. After that time, it shows again.
I tried to add permissions to the shared disk cache with no result read for - C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\
write for C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache
Do you have any suggestions what could be the potential issues? I checked event logs and there is no evidence of the specific issue.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,510 questions
{count} vote