Certificate related problems when using a web proxy server

Posted on 27 September, 2017 by Tom Aafloen

I have several times encountered these issues, so it decided it was time to write a blog post about it.

The situation

You are using a proxy server for web communication. Direct communication to the Internet is blocked. The proxy is configured in Internet Explorer Options, as shown in these screenshots:

image

image

If you do not configure this, you cannot reach the Internet.
If you do configure this, you can reach the internet.
Just as expected.

The issue

Even if the proxy is configured correctly, as seen above, some Internet communication is still blocked.

One common problem area is certificate validation, specifically downloading CRLs from the Internet. I have seen problems when starting CA servers (after Root CA CRL renewal) and/or when or accessing NDES web pages. See examples at the end of this post for details. If you solve something else, let me know so I can add it to help others.

The reason

There are actually two different proxy settings in Windows, WinINet and WinHTTP.

WinINet
This is what we configure in the screenshots above. Most applications use this setting.

WinHTTP
This is a separate proxy setting. Most Windows services use this setting, including the one responsible for certificate revocation checking. This proxy setting has no GUI but can be configured using the command netsh.

You can read more about the differences between WinINet and WinHTTP here.
Especially note Services Support (Can be run from a service or a service account [Yes/No]).

The solution

The solution is to configure WinHTTP with the same proxy settings as WinINet.

This command shows the current WinHTTP proxy configuration:

netsh winhttp show proxy

image

As you can see, no proxy server is configured for WinHTTP.

You can manually add the proxy configuration (and optional Bypass List) by entering the relevant proxy information:

set proxy tomdemoproxy.se:8080 bypass-list=”*.tomdemo.se”

But there is an easier way. You can simply copy and apply the current WinINet proxy configuration to WinHTTP:

netsh winhttp import proxy source=ie

image

Note that this requires an elevated prompt, otherwise you will get the error message “Error writing proxy settings. (5) Access is denied.”

This has solved many communication issues I have had where a web proxy server is used.

If you wish to reset the WinHTTP proxy setting back to the no proxy setting you can use the following command:

netsh winhttp reset proxy

image

Example errors that were solved

Starting Active Directory Certificate Services

When trying to start the CA server you get this error message:

image
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

The event log shows Event Id 100 from source CertificationAuthority:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate <CA name>. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Also, Event Id 48 from source CertificationAuthority:

Revocation status for a certificate in the chain for CA certificate 0 for <CA Name> could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Note: A dirty trick to quickly get the CA up and running is to disable CRL checking on the CA server:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

This is of course not recommended and must be turned back on as soon as the CRL is available again, but might be justified in some rare cases.

Accessing NDES / SCEP web pages

Visiting https://FQDN works great (shows IIS standard home page).

But when trying to access the URL https://FQDN/certsrv/mscep/mscep.dll you get this error message:

image
500 – Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.

The same message appears when going to the URL http://<FQDN>/certsrv/mscep_admin

The Application event log on the NDES server shows the following error:

image
Event ID 10: The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

followed by:

image
Event ID 2: The Network Device Enrollment Service cannot be started (0x80070057).  The parameter is incorrect.

These two error events occur every time I revisit the URLs.

Have you solve an issue

If you run into any issues solved by this, please let me know so I can add them here to help others.

About Tom Aafloen

IT Security Advisor @ Onevinn
This entry was posted in CA, Certificates, CRL, NDES, PKI, SCEP and tagged , , , . Bookmark the permalink.

4 Responses to Certificate related problems when using a web proxy server

  1. Tom Aafloen says:
    28 April, 2020 at 10:01

    If your proxy requires authentication, you can pass your credentials like this:
    $webclient=New-Object System.Net.WebClient
    $webclient.Proxy.Credentials= Get-Credential

    Reply
  2. Griffo says:
    2 June, 2021 at 06:36

    This can also manifest in the Windows Terminal Server client being unable to connect to RDP sessions over the Internet. The RDP client does a CRL check as part of the authentication process, and this can fail leading to the client just seeming to hang. The OS then caches the result until restart, which can lead to some very frustrating troubleshooting.

    Reply
  3. Loop says:
    20 March, 2023 at 12:30

    This actually helped A LOT. I was getting crazy because I could use a browser to access CRL urls present in the certificate trust chain, but the service I was trying to run could NOT access it due to using WinHTTP instead of WinInet. After runing netsh winhttp import proxy source=ie it worked properly. Thanks!

    Reply

Leave a comment