Cannot connect to SSTP VPN - Unable to check revocation because revocation server was offline

8

I have been trying to set up an SSTP VPN to my SBS 2011 server and have been battling certificate issues the whole way. I've been able to generate a new certificate for my external vpn address, import it into my client machine, and added my server as a Trusted Certification Authority. Now I get the error:

Error 0x80092013: The revocation function was unable to check revocation because the revocation server was offline.

When I checked the CRL distribution points on the certificate I saw that the only urls were to my internal address, so I added another one that points to my external address (leaving the original internal urls intact). I generated a new certificate, deleted the existing one from my client and imported the new one, and restarted RRAS and verified that SSTP was using my new certificate but I am still getting the same error.

When I view the details the certificate that I imported I see that the new external CDP appears in the list (something to the effect of http://mydomain.com/CertEnroll/MYSERVER-CA.crl) . When I put that into a web browser I get a message saying the CRL import was successful, which lets me know that the URL is accessible from the outside and is online.

I feel like this is the last stop between me and a secured VPN, what am I missing here?

windows-server-2008
vpn
ssl
windows-sbs-2011
asked on Server Fault Sep 25, 2011 by mclark1129

1 Answer

6

The issue was that I was unable to access the Delta CRL file through IIS 7. This was due to '+' sign in the file name MYSERVER-CA+.crl. By default IIS 7 sets the property allowDoubleEscaping to False, and this must be enabled so that IIS can serve up this file.

In IIS7, I went into the Default Website, navigated to the CertEnroll virtual directory and enabled the property to the configuration editor. Below is a link to set this through a command line:

http://blogs.technet.com/b/lrobins/archive/2008/12/29/publishing-delta-crls-on-iis-7.aspx

Once I did this my issue was finally resolved!

answered on Server Fault Sep 29, 2011 by mclark1129 • edited Sep 29, 2011 by mclark1129

User contributions licensed under CC BY-SA 3.0