CRL 撤销检查失败但可以检索文件

tag-icon tag-icon iis windows-server-2016 iis-10 client-certificate
CRL 撤销检查失败但可以检索文件

我在一台 2016 机器上有一个 IIS 服务器(上面说是 IIS v10),用于通过证书对 unix 服务器进行身份验证。我已确认与内部 CRL 服务器的连接,我可以通过 telnet 连接到它,我可以下载文件,certutil 附带以下内容:

certutil -verify -urlfetch removed_for_privacy.cer
Issuer:
    CN=removed_for_privacy
    O=removed_for_privacy
    C=removed_for_privacy
  Name Hash(sha1): 35baf042268dc6dd33c1bcaf8656ab3339a2c06b
  Name Hash(md5): 0688a21d6c00b503fadf374e534604f1
Subject:
    CN=removed_for_privacy
    OU=removed_for_privacy
    O=removed_for_privacy
    L=removed_for_privacy
    S=removed_for_privacy
    C=removed_for_privacy
  Name Hash(sha1): 33db10b0a1303e8f58f12ea85a49e2d5c7956d28
  Name Hash(md5): d2162c234c3d235a530badf869764eeb
Cert Serial Number: 77001e3a38d80b8d528f0f4ed90000001e3a38

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 216 Days, 6 Minutes, 47 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 216 Days, 6 Minutes, 47 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=removed_for_privacy
  NotBefore: 12/03/2021 05:48
  NotAfter: 12/03/2023 05:48
  Subject: CN=removed_for_privacy
  Serial: 77001e3a38d80b8d528f0f4ed90000001e3a38
  Template: 1.3.6.1.4.1.311.21.8.1475819.1923179.2641816.6959893.4978592.187.3822061.5349830
  Cert: c829af51c2f97f9336b150f348a5ed07cccc8326
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://removed_for_privacy.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (01fb)" Time: 0
    [0.0] http://removed_for_privacy.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0
    [0.0] http://removed_for_privacy/ocsp

  --------------------------------
    CRL (null):
    Issuer: CN=removed_for_privacy
    ThisUpdate: 04/05/2021 14:02
    NextUpdate: 06/05/2021 14:22
    CRL: fbd7722100ef6f4ab7d03c290aca62a85c9c6441
  Issuance[0] = 1.2.826.0.1.1833679.1.1.5.5.5
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=removed_for_privacy
  NotBefore: 07/09/2017 12:47
  NotAfter: 07/09/2025 12:57
  Subject: CN=removed_for_privacy
  Serial: 7700000002404ed3d5c1d87a1b000000000002
  Cert: b0e971dc53ea6a1e0b7d620704f7d16a6091a8d1
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://removed_for_privacy.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (05)" Time: 0
    [0.0] http://removed_for_privacy.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 05:
    Issuer: CN=removed_for_privacy
    ThisUpdate: 30/09/2020 15:26
    NextUpdate: 30/10/2021 15:46
    CRL: 2e6fdb9adf169af6b8f029a2374a52099538abd3

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=removed_for_privacy
  NotBefore: 31/08/2017 11:56
  NotAfter: 31/08/2037 11:56
  Subject: CN=removed_for_privacy
  Serial: 3bd2d21295368abd4a25a5dfb7c7921f
  Cert: bf8c3c705348b8d931d3853427f7f57bcf575d8d
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  Chain: da7d7a37bb99548aa5500003e5c9b83407fa115b
Full chain:
  Chain: 7ff925ccc3a676b7ad1b1e9ad8ae0c3fc86cd71e
------------------------------------
Verified Issuance Policies:
    1.2.826.0.1.1833679.1.1.5.5.5
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed

IIS 返回一个单独的 403 13 错误,更具体地说:

2021-05-04 13:21:38 removed_for_privacy GET removed_for_privacy 443 - removed_for_privacy curl/7.29.0 - 403 13 2148081683 45020

更新:

可直接在 2012 IIS 机器上运行,两者都禁用了双重转义。因此,问题出在 IIS v10 上。

相关内容