Forum Discussion

Off2w0rk's avatar
Off2w0rk
Brass Contributor
Dec 06, 2016

Outlook - Certificate has been revoked

Hi all,

 

not sure if anyone has experienced it, but we are getting tthis error multiple times a day when using outlook.

It says :

 

Outlook.office365.com

Information you Exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.

The security certificate for this site has been revoked,

This site should not be trusted,

 

If we dont click OK, outlook cannot send or receive emails. Sometime this window is hidden behind and therefor are not aware of it during the day.

 

if we click view certificate, it looks legit and everything seems to be ok. If enter OWA, we get same certificate(according to thumbprint), but there is no warning or error,

 

We have created a case with Exchange online team, but they say there are no error from their side and its internal network issue.

We have cleared certificate revoke list from our DNS servers without any help.

Any ideas on how to troubleshoot this further?

 

We use Outlook 2016 with latest updates and have all mailboxes in Exchange online.

I only have my archive mailbox attached to my outlook,

 

Thanks!

  • Was resolution ever identified for this problem? I have the exact same issue with the exact same certificate.  I opened a case with Microsoft support but they have not been any help so far. 

     

    No changes have been made to our network, the CRL isn't being blocked by anything, it doesn't contain the serial number of the certificate in question and the problem is intermittent.

    • Hap's avatar
      Hap
      Brass Contributor

      Unfortunately the cause was never found. MS was able to reproduce it twice on their end but didn't get the required logging. After that it didn't occur anymore.

       

      As we didn't change anything on our end, I had a suspicion they fixed it silently in one of their updates recently. Have you tried updating Outlook to the latest update?

    • Jane Etharia's avatar
      Jane Etharia
      Copper Contributor

      Jeffrey Baltezegar wrote:

      Was resolution ever identified for this problem? I have the exact same issue with the exact same certificate.  I opened a case with Microsoft support but they have not been any help so far. 

       

      No changes have been made to our network, the CRL isn't being blocked by anything, it doesn't contain the serial number of the certificate in question and the problem is intermittent.


      Hello Jeffrey,

      We have a case open with Microsoft, they requested for logs and they have escalated it, so far its a waiting game. Not sure of others.

  • Javier Garcia's avatar
    Javier Garcia
    Copper Contributor

    Opened a 2nd ticket for Outlook since MS support always points fingers back and forth (117052515798731). Still getting no where and they've already quit trying to try and support the ticket since we are unable to reproduce the issue on command.

     

    Note, we have tried applying the "workarounds" by suppressing the prompt in IE and Outlook (HKCU\software\policies\microsoft\office\16.0\outlook\security\usecrlchasing Value=2) but still doesn't seem to work. 

     

    Only solution so far is to roll people back to Office 2013. 

    • Hap's avatar
      Hap
      Brass Contributor

      Javier Garcia wrote:

      Opened a 2nd ticket for Outlook since MS support always points fingers back and forth (117052515798731). Still getting no where and they've already quit trying to try and support the ticket since we are unable to reproduce the issue on command.

       

      Note, we have tried applying the "workarounds" by suppressing the prompt in IE and Outlook (HKCU\software\policies\microsoft\office\16.0\outlook\security\usecrlchasing Value=2) but still doesn't seem to work. 

       

      Only solution so far is to roll people back to Office 2013. 


      Javier I got word you closed the case because you find the issue to be related to your reverse proxy, is this correct?

      • Jane Etharia's avatar
        Jane Etharia
        Copper Contributor

        Hap wrote:

        Javier Garcia wrote:

        Opened a 2nd ticket for Outlook since MS support always points fingers back and forth (117052515798731). Still getting no where and they've already quit trying to try and support the ticket since we are unable to reproduce the issue on command.

         

        Note, we have tried applying the "workarounds" by suppressing the prompt in IE and Outlook (HKCU\software\policies\microsoft\office\16.0\outlook\security\usecrlchasing Value=2) but still doesn't seem to work. 

         

        Only solution so far is to roll people back to Office 2013. 


        Javier I got word you closed the case because you find the issue to be related to your reverse proxy, is this correct?


        Thank you for the response. we opened a case and worked with MS support on the issue and they recommended  bypassing autodiscover by modifying the registry keys, however issue still persists. Issue only affects a couple of users. Will check to make sure they have the latest Office 2016 updates

        and alos run an online full repair. We prefer not to downgrade to Office 2013.

    • Hap's avatar
      Hap
      Brass Contributor

      Our case is also still open (REG:117052315783924). Not getting closer to a solution yet unfortunately. They keep asking for traces we cannot give as the issue can't be reproduced on demand. In the mean time I've supplied some dump files, but that didn't bring us any closer as well it seems... I'll update when we get more news from MS.

  • Javier Garcia's avatar
    Javier Garcia
    Copper Contributor

    Same issue. Exchange 2013, Load-balanced servers via Netscaler. Noticed after upgrading clients to 2016. Ticket open with MS support but their only solution is to disable the "Check for Publisher's Certificate Revocation" in IE which is not a real solution. 

    • Hap's avatar
      Hap
      Brass Contributor
      Can you send me your support nr? I will create a premier support request today and can reference your ticket.
      • MichaeL3_6's avatar
        MichaeL3_6
        Copper Contributor

        I keep getting the message outlook. Office365.Com has had its security certificate revoked. Is this true? What action should I take?

  • Hap's avatar
    Hap
    Brass Contributor

    Having the exact same issue here since upgrading to Outlook 2016 icw Exchange 2016 onprem. fyi we are using a Netscaler as a reverse proxy.

     

    Has anyone found a fix for this?

  • David Valcourt's avatar
    David Valcourt
    Copper Contributor

    Has anyone found a solution to this?  I'm experiencing it with Exchange 2016 CU2 on-prem.

  • Mike Parker's avatar
    Mike Parker
    Iron Contributor
    Hi,

    Have you verified that you can contact the CRL from within your network and that the certificate thumbprint of the cert you are getting the error with isn't in that list? I have seen issues like this normally for a couple of hours but nothing long term. Just off the top of my head it sounds like it could be some issue contacting the CRL or some sort of Proxy in the middle of your clients and Exchange Online which is doing something strange with certificates?

    Mike
    • Off2w0rk's avatar
      Off2w0rk
      Brass Contributor

      Hi Mark,

       

      yes we can access the urls fine and the certificate is not on revoke list.

      We do use Zscaler for web filtering, but since the urls are not blocked and are accessible it is pretty strange. We had this issue for almost a year now, even before we implemented Zscaler.

      Im not the only one getting this error either, since more and more users are complaining about it. Since EXO team closed the case, there is nothing much we can do.

      • Robert Skawinski's avatar
        Robert Skawinski
        Copper Contributor

        Hi,

         

        same Problem here. We are deploying a new Exchange Server 2016 and some Clients have this problem sometimes.

        • CA-ROOT is inside Trusted Root Certification Authorities
        • Internet Explorer shows everything as valid
        • CRL is reachable from inside and outside

        Please help

         

        br

        Robert Skawinski

Resources