Certificate related problems when using a web proxy server

I have several times encountered these issues, so it decided it was time to write a blog post about it.

The situation

You are using a proxy server for web communication. Direct communication to the Internet is blocked. The proxy is configured in Internet Explorer Options, as shown in these screenshots:

image

image

If you do not configure this, you cannot reach the Internet.
If you do configure this, you can reach the internet.
Just as expected.

The issue

Even if the proxy is configured correctly, as seen above, some Internet communication is still blocked.

One common problem area is certificate validation, specifically downloading CRLs from the Internet. I have seen problems when starting CA servers (after Root CA CRL renewal) and/or when or accessing NDES web pages. See examples at the end of this post for details. If you solve something else, let me know so I can add it to help others.

The reason

There are actually two different proxy settings in Windows, WinINet and WinHTTP.

WinINet
This is what we configure in the screenshots above. Most applications use this setting.

WinHTTP
This is a separate proxy setting. Most Windows services use this setting, including the one responsible for certificate revocation checking. This proxy setting has no GUI but can be configured using the command netsh.

You can read more about the differences between WinINet and WinHTTP here.
Especially note Services Support (Can be run from a service or a service account [Yes/No]).

The solution

The solution is to configure WinHTTP with the same proxy settings as WinINet.

This command shows the current WinHTTP proxy configuration:

netsh winhttp show proxy

image

As you can see, no proxy server is configured for WinHTTP.

You can manually add the proxy configuration (and optional Bypass List) by entering the relevant proxy information:

set proxy tomdemoproxy.se:8080 bypass-list=”*.tomdemo.se”

But there is an easier way. You can simply copy and apply the current WinINet proxy configuration to WinHTTP:

netsh winhttp import proxy source=ie

image

Note that this requires an elevated prompt, otherwise you will get the error message “Error writing proxy settings. (5) Access is denied.”

This has solved many communication issues I have had where a web proxy server is used.

If you wish to reset the WinHTTP proxy setting back to the no proxy setting you can use the following command:

netsh winhttp reset proxy

image

Example errors that were solved

Starting Active Directory Certificate Services

When trying to start the CA server you get this error message:

image
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

The event log shows Event Id 100 from source CertificationAuthority:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate <CA name>. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Also, Event Id 48 from source CertificationAuthority:

Revocation status for a certificate in the chain for CA certificate 0 for <CA Name> could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Note: A dirty trick to quickly get the CA up and running is to disable CRL checking on the CA server:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

This is of course not recommended and must be turned back on as soon as the CRL is available again, but might be justified in some rare cases.

Accessing NDES / SCEP web pages

Visiting https://FQDN works great (shows IIS standard home page).

But when trying to access the URL https://FQDN/certsrv/mscep/mscep.dll you get this error message:

image
500 – Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.

The same message appears when going to the URL http://<FQDN>/certsrv/mscep_admin

The Application event log on the NDES server shows the following error:

image
Event ID 10: The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

followed by:

image
Event ID 2: The Network Device Enrollment Service cannot be started (0x80070057).  The parameter is incorrect.

These two error events occur every time I revisit the URLs.

Have you solve an issue

If you run into any issues solved by this, please let me know so I can add them here to help others.

Advertisements
This entry was posted in CA, Certificates, CRL, NDES, PKI, SCEP and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s