locked
WSE 2012 and SSL Certificate is Revoked but it really has not been revoked RRS feed

  • Question

  • Hi

    I am having an issue with WSE 2012 and my SSL certificate. Here is part of the error message that I am receiving:

    "There is a problem with this website's security certificate."
    "This organization's certificate has been revoked."

    This happened about 2 days ago. I contacted GoDaddy and they verified that they had not revoked my certificate and that I would need to contact Microsoft for a resolution. They did recommend that I could rekey my certificate which I did. I did that and the error went away.

    By the way, the only way I knew I had a problem is because I have my website address as my homepage so that I can tell each time I open IE if I am having an issue or if all is well.

    Anyway, about 3:00 this morning I received the message again that my certificate had been revoked. I was too tired to do anything about it at that time. I checked it again at 8:00 am and got the same message. I copied the error message so I could google it and see what resolutions others had come up with. I opened IE again and the error message was gone. I didn't do a repair or anything - it just started working!

    Does anyone know why this happens and more importantly, how to keep it from happening?

    Thanks for your help!

    Tuesday, March 26, 2013 1:18 PM

Answers

  • Another update

    The Microsoft tech thought that there might be a problem with the cert from GoDaddy. I did contact GoDaddy and they said that the cert on the server did not match what they have as a valid cert. (The Microsoft tech had verified that they DID match).

    So I have gone ahead and download another copy from GoDaddy and have installed it on my server. At this point, the certificate does show as being valid. I will check back in 24 or 25 hours and verify that the cert is still valid (remember, it has been okay for about a day and then shows revoked).

    I will post again after any change/no change after 24 hours.

    **********************************************************************

    Okay - it has been almost 2 days since I downloaded another copy of my certificate and installed it on my server and all appears well at this point.

    Here's the last process the Microsoft Tech and I went through: When I had the Microsoft Tech on the line a couple of days ago, he did verify that the serial number of my certificate matched what GoDaddy showed as my valid certificate. Don't know exactly what happened, but he did look and there were about a dozen certificates from Godaddy on my server (maybe each time I released/renewed the domain name from the Anywhere Access screen, it put another copy of the cert on the machine?). He also ran what I think was called the certificate utility repair tool and there WAS a special character at the beginning of the serial number that he deleted - until he deleted it, the repair tool failed. Deleted the character, re-ran the tool and it was successful. He then deleted all but the cert that matched GoDaddy's and we left it at that for the time being to see if that helped. After 24 hours, it failed again. Since GoDaddy was telling me that the cert on my server did not match the cert that they issued, I re-downloaded the certificate (I did not rekey it as I had already done that a couple of weeks ago), installed it on the server and it has worked ever since.

    Not sure if anyone knows the cause or the exact fix, but it is now working so I will mark this as Answered.

    Thanks to Susan for getting the ball rolling on this and the Microsoft Techs for spending several hours helping out.

    Gene


    • Marked as answer by gestep Monday, April 15, 2013 3:23 AM
    • Edited by gestep Monday, April 15, 2013 7:32 AM
    Friday, April 12, 2013 4:56 AM

All replies

  • I have some more info on my issue with the revoked certificate. Seems that if I run the dashboard, go to setting, go to Anywhere Access and go to Set Up Domain Name, release it and then set it up again using the exact same domain name, it appears to function without the error for about 20-24 hours, then it goes back to showing that the certificate has been revoked.

    Anyone have any ideas?

    Gene

    Thursday, March 28, 2013 3:13 AM
  • I'm experiencing the same problem; also with GoDaddy. I too verified that it is correct on GoDaddy's side; but this problem keeps coming back.

    Brian Reisman

    Saturday, March 30, 2013 6:52 PM
  • Brian

    Have you gotten any responses as to either the cause or a remedy? Other than this one issue, I am pretty please with WSE2012. It has gotten to the point that I am using my domain name for my home page so that I can be reminded when the revocation has taken place (don't really need to - I can just check once every 24 hours and verify that it shows the cert as being revoked). Again, it isn't a real revocation but WSE2012 thinks that it is. Every time I check the GoDaddy site, it does show the certificate as active.

    Maybe someone else can help us out?

    Gene

     

    Saturday, March 30, 2013 8:02 PM
  • Still haven't heard from anyone... I'm thinking that it has to do with the automatic updating of the dns... I suggest we give it a few more days 

    Ordinarily these forums are monitored by people on the respective teams at Microsoft...


    Brian Reisman

    Monday, April 1, 2013 1:57 AM
  • Please help to support the log for us as Alex's mentioned, We are watching on your problem.
    Wednesday, April 3, 2013 2:15 AM
  • Or stick them in skydrive and post the link here.

    Wednesday, April 3, 2013 6:24 AM
  • What's your web site address.
    Wednesday, April 3, 2013 6:31 AM
  • Okay - this is the first time that I have done this so if you don't see what you requested, please let me know.

    Here is the link to my public folder on my Skydrive:

    https://skydrive.live.com/#cid=FCEFF73200584618&id=FCEFF73200584618%21113

    I included 3 files - the log files while the certificate was 'valid', the log files after I received the message that the certificate had been revoked, and finally a screenshot of what the error message says regarding the certificate revocation.

    Thanks.

    Gene

    Thursday, April 4, 2013 6:08 AM
  • Are you seeing this error right now?  As I'm hitting your site and not seeing the error?
    Thursday, April 4, 2013 6:11 AM
  • No, after I sent the files, I went in to settings, Anywhere Access, selected Set Up Domain Name, chose release the current domain name from the server and once released, went back through setup and used the exact same domain name again. At that point, the certificate error goes away and all is well.

    I wasn't sure what exactly was needed, so that is why I sent two log files, one when the certificate showed Valid and one set of log files when the certificate showed Revoked.

    Since I went through this process about 1:30 am Thursday, the error will return around 1:30 am Friday.

    Do you want me to let the error happen and then put a message up here?

    Gene

    Thursday, April 4, 2013 6:59 AM
  • Yup, let's see when it's in the failed state. 

    Thursday, April 4, 2013 7:09 AM
  • Hey Susan

    If you want to try going my server, the certificate now shows as being revoked so you can see what it looks like when it has failed.

    Thanks!

    Gene

    Friday, April 5, 2013 6:42 AM
  • email me at susan-at-msmvps.com and let's get a support case opened.

    I see an issue with root certs and I want to confirm what the trigger is.

    Friday, April 5, 2013 7:04 AM
  • Microsoft has been in touch with me regarding the problem above. I ran a fix that they supplied and am waiting on a response from them. Once I get their response, I will let everyone know what they had me do (no need to post it if it doesn't work).

    I'm keeping my fingers crossed!

    Gene

    Saturday, April 6, 2013 2:31 PM
  • I have checked the address, the certificate looks good, is this problem fixed ?

    Sunday, April 7, 2013 3:26 AM
  • It's been rekeyed today.  Let me check the case notes.
    Sunday, April 7, 2013 4:19 AM
  • As an update, I applied the fix that I was provided. I won't know for about 24 hours if the fix is permanent (the problem re-occurs about every 24 hours). Since I applied the fix a couple of minutes before noon on Saturday, I won't know until around noon on Sunday. I will keep everyone up-to-date.

    Gene

    Sunday, April 7, 2013 6:49 AM
  • The fix that Microsoft supplied did not work. I have notified the latest tech support person of that fact and am waiting for their next response.

    Gene

    Sunday, April 7, 2013 4:41 PM
  • I can think of one possible reason let this to happen. If you another windows essential server or small business server, and you used to set up the domain on that machine. Two machine can't share one certificate. You may change your password of godaday , to prevent any old server accidently do something to your cert.

    Thanks  

    Monday, April 8, 2013 2:04 AM
  • QingFUW

    This is the only server that I have.

    Thanks.

    Gene

    Monday, April 8, 2013 3:27 AM
  • I know you said in the case notes you want to work via email but the issue is we don't know what the issue is.  This shouldn't be happening.  So the support folks may need to take remote control of your server to get more log files off your box.
    Monday, April 8, 2013 4:22 AM
  • I think there is one thing we must understand, revoke certificate must go through godaday. It's possible that 2012 essential for some reason automatically ask godaday to revoked it everyday. One trick thing can do here is to reconfigure again then change the password on godaday site, make it impossible for essential server to revoke it, because godady will not allow any request from the server using the old password which is stored somewhere on the server. 

    Thanks.

    Monday, April 8, 2013 5:20 AM
  • I can confirm that RWA site indicated that the certificate had been revoked when it occurs as I saw it with my own eyes.  If Gene can work with the support folks to get the logs as Gene isn't the only one reporting this issue.  He's not doing it.  Godaddy says it's not them but something clearly is revoking the SSL cert.  The server shouldn't be asking for it to be revoked.  I'd rather Gene not change any passwords but let it fail again (if he doesn't mind) so we can get to the root cause of the issue.
    Monday, April 8, 2013 5:33 AM
  • I can confirm that RWA site indicated that the certificate had been revoked when it occurs as I saw it with my own eyes.  If Gene can work with the support folks to get the logs as Gene isn't the only one reporting this issue.  He's not doing it.  Godaddy says it's not them but something clearly is revoking the SSL cert.  The server shouldn't be asking for it to be revoked.  I'd rather Gene not change any passwords but let it fail again (if he doesn't mind) so we can get to the root cause of the issue.

    I understand your point , my suggestion is the best thing I can offer to Gene. I also hope support forks can get useful log to identify the root cause

    Thanks.

     
    Monday, April 8, 2013 6:01 AM
  • I sent an email a couple of hours ago to the last person that contacted me from Microsoft letting them know that I will call them later today during their Pacific office hours. I have left the certificate in a failed state so that they can see it AND take any logs that they need to pinpoint the solution to this issue.

    While the server was showing that the certificate was revoked, I looked at my account on GoDaddy and it shows that the SSL certificate is current. I don't think that GoDaddy is doing anything to cause it to be revoked. Again, if I go through the Anywhere Access Domain Name Setup wizard, I can fix the issue (for 24 hours) by releasing the domain name and running the wizard again and using the exact same domain name and it works instantly - again for 24 hours. Seems that if GoDaddy were doing something, then the domain name would not magically become valid again.

    I will update everyone once I find out anything from my call today.

    Gene

    Monday, April 8, 2013 8:44 AM
  • Update

    Technical support connected to my server and after 2 hours, could not come up with a fix. He will research it some more and contact me sometime late Tuesday with findings

    Gene

    Tuesday, April 9, 2013 1:30 AM
  • Another update

    The Microsoft tech thought that there might be a problem with the cert from GoDaddy. I did contact GoDaddy and they said that the cert on the server did not match what they have as a valid cert. (The Microsoft tech had verified that they DID match).

    So I have gone ahead and download another copy from GoDaddy and have installed it on my server. At this point, the certificate does show as being valid. I will check back in 24 or 25 hours and verify that the cert is still valid (remember, it has been okay for about a day and then shows revoked).

    I will post again after any change/no change after 24 hours.

    **********************************************************************

    Okay - it has been almost 2 days since I downloaded another copy of my certificate and installed it on my server and all appears well at this point.

    Here's the last process the Microsoft Tech and I went through: When I had the Microsoft Tech on the line a couple of days ago, he did verify that the serial number of my certificate matched what GoDaddy showed as my valid certificate. Don't know exactly what happened, but he did look and there were about a dozen certificates from Godaddy on my server (maybe each time I released/renewed the domain name from the Anywhere Access screen, it put another copy of the cert on the machine?). He also ran what I think was called the certificate utility repair tool and there WAS a special character at the beginning of the serial number that he deleted - until he deleted it, the repair tool failed. Deleted the character, re-ran the tool and it was successful. He then deleted all but the cert that matched GoDaddy's and we left it at that for the time being to see if that helped. After 24 hours, it failed again. Since GoDaddy was telling me that the cert on my server did not match the cert that they issued, I re-downloaded the certificate (I did not rekey it as I had already done that a couple of weeks ago), installed it on the server and it has worked ever since.

    Not sure if anyone knows the cause or the exact fix, but it is now working so I will mark this as Answered.

    Thanks to Susan for getting the ball rolling on this and the Microsoft Techs for spending several hours helping out.

    Gene


    • Marked as answer by gestep Monday, April 15, 2013 3:23 AM
    • Edited by gestep Monday, April 15, 2013 7:32 AM
    Friday, April 12, 2013 4:56 AM
  • OKay, well I've given up trying to get it to work; I decided not to use the "automatic" feature of the dns settings... but I think I can provide a little information that should make it a little easier to troubleshoot... The issue seems to occur when the dns settings are maintained.

    Specifically the problem only happens if you set the anywhere access to maintain the dns "automatically". This is meant to be a quasi dynamic dns implementation, e.g. if your IP address changes system should automatically update (in our case, GoDaddy) the dns servers to reflect the changed IP. It appears that whenever the service refreshes (Usually ~24 hours after initial configuration) it is causing the cert to show as revoked. In my case my IP hasn't changed at all, so depending on the internal trigger that causes the dns settings to be updated, that should narrow the search for the root cause.

    I've done the following things at one point or another to try to get it to work:

    1. I completely formatted and reinstalled the OS. (Did this once since the issue manifested on the first day following the initial install) - issue repeated.
    2. Deleted all of the certificates in my cert store that were issued from GoDaddy and ran the wizard again. - issue repeated.
    3. Rekeyed the certificate from GoDaddy. - Issue repeated.

    Finally i decided to give up on the "automatic" portion and I signed up for dyndns.com; and manually installed the cert from goDaddy, manually configured the dns record to point to my dyndns.com host. It has been running for almost a week and I haven't had any more issues. Ideally this wouldn't be necessary...


    Brian Reisman

    Wednesday, April 24, 2013 3:49 AM