Certificate revocation related issues in SSL when connecting to blob storage endpoint RRS feed

  • Question

  • Hi, 

    Has anyone experienced, Certificate revocation issues lately with blob endpoint.
    Issue lasted for 1 day starting 19 to 20 or 21 may 2019.

    The SSL certificate is signed by following CA

    Microsoft IT TLS CA 5

    • CA Certificate: Microsoft IT TLS CA 5.crt
    • Thumbprint: ad 89 8a c7 3d f3 33 eb 60 ac 1f 5f c6 c4 b2 21 9d db 79 b7
    • CRL: IT TLS CA 5.crl
    • Authority Key Identifier: e5 9d 59 30 82 47 58 cc ac fa 08 54 36 86 7b 3a b5 04 4d f0
    If we download CRL provided in extension and give it to curl, curl give error 60 which is related to ssl/crl issues.

    CRL details.
    Effective date: ‎Sunday, ‎May ‎19, ‎2019 9:43:49 PM
    Next Update: ‎Monday, ‎May ‎27, ‎2019 10:03:49 PM
    Next CRL Publish: ‎Thursday, ‎May ‎23, ‎2019 9:53:49 PM

    Wednesday, May 22, 2019 10:12 AM

All replies

  • Can you provide us more information on the issue and also please do provide a screenshot of the error (after concealing any private) for better understanding?

    You may also refer to the suggestions mentioned in this article.

    Additional information: For your reference you see few suggestions mentioned in the below link:

    Kindly let us know if the above helps or you need further assistance on this issue.
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Wednesday, May 22, 2019 10:30 AM
  • Hi Sumanth, 
    Thanks for replying.

    I don't have exact logs at this was running under automation and we didn't got curl logs for this.
    just curl error (60), this issue lasted for 1 or 2 days and it got resolved automatically assuming something changed at Microsoft Azure end. the time of one such failure are around  5/18/2019 20:51:04 UTC

    To give more context here we are using libcurl to fire rest api to azure storage service.
    we are also using "CURLOPT_CRLFILE" which takes a CRL bundle.

    we can give similar option via CURL CLI to validate. (you can get a trusted cabundle from Mozilla CA cert Store, keep that in pem ASCII)
    ( you can get CRL files from the x509 certificate's CRL extensions IT TLS CA 5.crl,
    convert them in pem ASCII format, crl.pem) 
    curl --cacert cacert.pem --crlfile crl.pem

    This would have given error 60 on that day.

    Wanted to know if that issue was intermittent, did not got any confirmation was this from azure end.
    page has no such incident reported.     

    Wednesday, May 22, 2019 1:28 PM
  • Apologies for the delay response! It's possible there may be an issue on the cluster.  Ideally, we could research on our end.  Depending on your comfort level you could disable strict certificate checking in CURL.  This is done by adding the -k --insecure flag. This bypasses the CRL
    Thursday, May 30, 2019 5:02 PM
  • Hi, Thanks for replying back.

    Yes that will be good if we can get root cause of this.

    We cannot turn revocation check off for automation systems.
    we already allow turning this off for our end users with there discretion.

    keep posting to thread if you find the issue root cause.

    Friday, May 31, 2019 9:09 AM