none
OCSP 404 error - failing in pkiview

    Question

  • Hi all, sorry for asking another question so quickly after the last but I am stuck on an OCSP issue now.

    2 tier PKI, 2008 R2 Root CA and 2012 R2 Enterprise Subordinate.

    When launching pkiview everything comes up fine except for OCSP. I have it configured correctly in the AIA extensions of the SubCA (with only the Include in the OCSP extension checkbox ticked) with a url of http://ocsp/ocsp. There is a cname in DNS that points to actual server (different to the CA, running 2012 R2 as well though). OCSP can be pinged successfully.

    The OCSP revocation configuration is also set up and reporting everything as OK in the OCSP console. Can also confirm that Network Service has been granted read permissions on the private key settings in the OCSP signing template. I've tried revoking the CAExchange certificate and restarting certsvc as well without luck.

    When performing the normal OCSP checks the results are as follows;

    certutil -url cert.cer
    Error retrieving URL: Error 0x80190194 (-2145844844)

    certutil -verify -urlfetch cert.cer
    Failed "OCSP" Time: 0
    Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

    I know it's not a proper test but for information sake browsing to http://ocsp/ocsp shows error 404 - file or directory not found rather than what is expected with a working OCSP URL (500 - internal server error).

    I've also uninstalled/re-installed the OCSP service (including IIS) without success. Any ideas?

    thanks!

    Tuesday, September 16, 2014 3:58 AM

Answers

  • It's an application dir subordinate to the Default Web Site and it points to C:\Windows\SystemData\ocsp.

    Silly question, maybe: But have you 'configured the role service' in W2K12 after adding the Role Service? (The yellow triangle icon should remind you to do so.)

    I guess it could be easily forgotten as - in contrast to the Certificate Service Role Service - there is not much happening in configuration except specifying the user who actually installs the role service.

    The Online Responder MMC is already there before you do that configuration - so I believe it should be possible to add revocation configurations before the web application part is ready.



    • Edited by Elke Stangl Wednesday, September 17, 2014 12:37 PM
    • Marked as answer by driko konst Thursday, September 18, 2014 2:30 PM
    Wednesday, September 17, 2014 12:34 PM
  • Update to my previous reply:

    Tested that quickly now - I can confirm that you can indeed configure a revocation config. using the OCSP MMC before you actually configure the role service.

    In that state the /ocsp app/dir. is still missing and we would see exactly the error you describe.

    So I am really curious about your findings!

    Elke

    • Marked as answer by driko konst Thursday, September 18, 2014 2:30 PM
    Wednesday, September 17, 2014 1:10 PM

All replies

  • Would be helpful to see the full output of the verify command. Being able to see the context of where the error message comes from helps.



    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Tuesday, September 16, 2014 5:36 AM
  • Sure thing Mark, please see below. I've had to type it out manually so sorry for any formatting errors (can't get files off the system in question), I've also changed names of domains etc.;

    Issuer:
     CN=Issuing-CA
     DC=domain
     DC=com
    Subject:
     CN=clientdevice.domain.com
    Cert Serial Number: 6b....................................6

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainCOntext.dwRevocationFreshnessTime: 141 Days, 16 Hours, 12 Minutes, 33 Seconds

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 141 Days, 16 Hours, 12 Minutes, 33 Seconds

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
     Issuer: CN=Issuing-CA, DC=domain, DC=com
     NotBefore: 12/09/2014 10:43 AM
     NotAfter: 11/09/2019 10:43 AM
     Subject: CN=clientdevice.domain.com
     Serial: 6b....................................6
     SubjectAltName: DNS Names=clientdevice.domain.com
     Template: ClientTemplate
     3c .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 40
     Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
     Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
     ---------------- Certificate AIA ----------------
     Verified "Certificate (0)" Time: 0
      [0.0] ldap:///CN=Issuing-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?cACertificate?base?objectClass=certificationAuthority
     
     Verififed "Certificate (0)" Time: 4
      [1.0] http://pki.domain.com/certenrolment/IssuingCAhostname.domain.com_Issuing-CA.crt

     ---------------- Certificate CDP ----------------
     Verified "Base CRL (1e)" Time: 0
      [0.0] ldap:///CN=Issuing-CA,CN=IssuingCAhostname,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

     Verified "Delta CRL (1e)" Time: 0
      [0.0.0] ldap:///CN=Issuing-CA,CN=IssuingCAhostname,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
     
     Verified "Delta CRL (1e)" Time: 4
      [0.0.1] http://pki.domain.com/CertEnrolment/Issuing-CA+.crl

     Verified "Base CRL (1e)" Time: 4
      [1.0] http://pki.domain.com/certenrolment/Issuing-CA.crl

     Verified "Delta CRL (1e)" Time: 0
      [1.0.0] ldap:///CN=Issuing-CA,CN=IssuingCAhostname,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

     Verified "Delta CRL (1e)" Time: 4
      [1.0.1] http://pki.domain.com/CertEnrolment/Issuing-CA+.crl

     ---------------- Base CRL CDP ----------------
     OK "Delta CRL (1f)" Time: 0
      [0.0] ldap:///CN=Issuing-CA,CN=IssuingCAhostname,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

     OK "Delta CRL (1f)" Time: 4
      [1.0] http://pki.domain.com/CertEnrolment/Issuing-CA+.crl

     ---------------- Certificate OCSP ----------------
     Failed "OCSP" Time: 0
      Error retrieving URL: Error 0x80190194 (-2145844844)
      http://ocsp/ocsp

     ------------------------------
      CRL1e:
      Issuer: CN=Issuing-CA, DC=domain, DC=com
      07 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. be
      Delta CRL 1f:
      Issuer: CN=Issuing-CA, DC=domain, DC=com
      d5 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 92
     Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
     Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

    CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
     Issuer: CN=Root-CA
     NotBefore: 9/09/2014 1:36 PM
     NotAfter: 9/09/2024 1:46 PM
     Subject: CN=Issuing-CAm DC=Domain, DC=com
     Serial: 2f..................................14
     Template: SUbCA
     3d .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 56
     Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
     Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
     ---------------- Certificate AIA ----------------
     Verified "Certificate (0)" Time: 4
      [0.0] http://pki/CertEnrolment/RootCAhostname_Root-CA.crt

     ---------------- Certificate CDP ----------------
     Verified "Base CRL (05)" Time: 4
      [0.0] http://pki/CertEnrolment/Root-CA.crl

     ---------------- Base CRL CDP ----------------
     No URLs "None" Time: 0
     ---------------- Certificate OCSP ----------------
     No URLs "None" Time: 0
     ------------------------------
      CRL 05:
      Issuer: CN=Root-CA
      fb .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. a7
     Issuance[0] = 1...............2

    CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
     Issuer: CN= Root-CA
     NotBefore: 30/01/2014 2:22 PM
     NotAfter: 30/01/2034 2:32 PM
     SUbject: CN=Root-CA
     Serial: 2e............................7e
     45 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. b3
     Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
     Element.dwInfoStatus = CER_TRUST_IS_SELF_SIGNED (0x8)
     Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
     ---------------- Certificate AIA ----------------
     No URLs "None" Time: 0
     ---------------- Certificate CDP ----------------
     No URLs "None" Time: 0
     ---------------- Certificate OCSP ----------------
     No URLs "None" Time: 0
     ------------------------------
     Issuance[0] 1...............2

    Exclude leaf cert:
     99 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. d4
    Full chain:
     e9 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 8d
    ------------------------------
    Verififed Issuance Policies: None
    Verified Application Policies:
     1.3.6.1.5.5.7.3.1 Server Authentication
     1.3.6.1.5.5.7.3.2 Client Authentication
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.

    Wednesday, September 17, 2014 2:24 AM
  • Just a hunch, but since you said the OCSP server says it is working properly (taking your word for it), but the client is unable to query the responder, is it possible your shortname (OCSP) isnt resolvable or reachable by the client in question? Either the OCSP server isnt working properly or the client cant get to the right server/website.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Wednesday, September 17, 2014 3:27 AM
  • In the original post you said you can ping the OCSP Server. I assume using its name and from the machine where you do the tests?. So an error 404 seems to indicate that the virtual directory /ocsp/ is not there ... odd as this may seem.

    Do you see the dir or application in IIS Manager? Can you access the corresponding physical directory?

    Do you see an error 404 also in IIS' log?

    If yes I'd try to do Failed Request Tracing for an error 404 (How to enabled Failed Request Tracing)

    (I had seen something comparable once - when NDES failed with a weird IIS error... turned out via details shown in Failed Request Tracing that one specific IIS config setting was missing although that setting should have been configured when adding the role.)

    Elke



    • Edited by Elke Stangl Wednesday, September 17, 2014 8:11 AM
    Wednesday, September 17, 2014 8:10 AM
  • Mark, yes the OCSP console definitely reports that the signing certificate and revocation config is OK. Any suggestions and how best to troubleshoot your hunch?

    Elke, yes I can ping the OCSP cname from the server where I'm running certutil from. Will confirm what's present in IIS manager tomorrow, but from memory I don't believe anything is there for OCSP? The 404 error is also present in the IIS logs so I will try your suggestion and report back. Should I check a certain directory on the server to confirm if there's any files in there for OCSP, and if so which directory is that?

    Thanks!

    Wednesday, September 17, 2014 12:04 PM
  • It's an application dir subordinate to the Default Web Site and it points to C:\Windows\SystemData\ocsp.

    Silly question, maybe: But have you 'configured the role service' in W2K12 after adding the Role Service? (The yellow triangle icon should remind you to do so.)

    I guess it could be easily forgotten as - in contrast to the Certificate Service Role Service - there is not much happening in configuration except specifying the user who actually installs the role service.

    The Online Responder MMC is already there before you do that configuration - so I believe it should be possible to add revocation configurations before the web application part is ready.



    • Edited by Elke Stangl Wednesday, September 17, 2014 12:37 PM
    • Marked as answer by driko konst Thursday, September 18, 2014 2:30 PM
    Wednesday, September 17, 2014 12:34 PM
  • Update to my previous reply:

    Tested that quickly now - I can confirm that you can indeed configure a revocation config. using the OCSP MMC before you actually configure the role service.

    In that state the /ocsp app/dir. is still missing and we would see exactly the error you describe.

    So I am really curious about your findings!

    Elke

    • Marked as answer by driko konst Thursday, September 18, 2014 2:30 PM
    Wednesday, September 17, 2014 1:10 PM
  • Elke thank you so much, I can't believe it was so simple. This was the first time I had installed OCSP on a 2012 server and didn't realise there was additional config required after the role is installed! (You were correct it's just setting the user account to install the service).

    After running the required configuration on the role service it all works now.

    It's odd that OCSP allows you to create a revocation config and report that it is working without the configuration being complete.

    Again thanks Elke!

    Thursday, September 18, 2014 2:30 PM