Outlook - Certificate has been revoked

Brass Contributor

Hi all,

 

not sure if anyone has experienced it, but we are getting tthis error multiple times a day when using outlook.

It says :

 

Outlook.office365.com

Information you Exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.

The security certificate for this site has been revoked,

This site should not be trusted,

 

If we dont click OK, outlook cannot send or receive emails. Sometime this window is hidden behind and therefor are not aware of it during the day.

 

if we click view certificate, it looks legit and everything seems to be ok. If enter OWA, we get same certificate(according to thumbprint), but there is no warning or error,

 

We have created a case with Exchange online team, but they say there are no error from their side and its internal network issue.

We have cleared certificate revoke list from our DNS servers without any help.

Any ideas on how to troubleshoot this further?

 

We use Outlook 2016 with latest updates and have all mailboxes in Exchange online.

I only have my archive mailbox attached to my outlook,

 

Thanks!

40 Replies
Hi,

Have you verified that you can contact the CRL from within your network and that the certificate thumbprint of the cert you are getting the error with isn't in that list? I have seen issues like this normally for a couple of hours but nothing long term. Just off the top of my head it sounds like it could be some issue contacting the CRL or some sort of Proxy in the middle of your clients and Exchange Online which is doing something strange with certificates?

Mike

Hi Mark,

 

yes we can access the urls fine and the certificate is not on revoke list.

We do use Zscaler for web filtering, but since the urls are not blocked and are accessible it is pretty strange. We had this issue for almost a year now, even before we implemented Zscaler.

Im not the only one getting this error either, since more and more users are complaining about it. Since EXO team closed the case, there is nothing much we can do.

Hi,

 

same Problem here. We are deploying a new Exchange Server 2016 and some Clients have this problem sometimes.

  • CA-ROOT is inside Trusted Root Certification Authorities
  • Internet Explorer shows everything as valid
  • CRL is reachable from inside and outside

Please help

 

br

Robert Skawinski

Has anyone found a solution to this?  I'm experiencing it with Exchange 2016 CU2 on-prem.

Is this issue causing for all the users or limited users? what is your outlook version? If this is happening only for outlook 2013, refer to the MS article to resolve this you need to install hotfix-

 

https://support.microsoft.com/en-us/help/3007582/certificate-error-message-when-you-start-outlook-

or-create-an-outlook-profile

 

Having the exact same issue here since upgrading to Outlook 2016 icw Exchange 2016 onprem. fyi we are using a Netscaler as a reverse proxy.

 

Has anyone found a fix for this?

This is not relevant. We are seeing a certificate revoked message when there is nothing wrong with the certificate. Also the message doesn't pop up when creating a profile, but during use of Outlook, about once or twice a day. Sometimes it doesn't popup for days.

Same issue. Exchange 2013, Load-balanced servers via Netscaler. Noticed after upgrading clients to 2016. Ticket open with MS support but their only solution is to disable the "Check for Publisher's Certificate Revocation" in IE which is not a real solution. 

Can you send me your support nr? I will create a premier support request today and can reference your ticket.

If you're having certificate warnings in Outlook for an on-prem Exchange deployment you should post a screenshot here so we can see exactly what the warning says. There's a number of potential problems and solutions for certificate issues.

Here is the error message (Office 365):

 

CertError.png

@Amir Jafarian that looks like either a problem communicating with the CRL or there might be another issue with your system or an intermediate network device (like a proxy). Since you are connecting to Exchange Online you can raise a support ticket with Microsoft for troubleshooting assistance. You can also try running diagnostics with the SARA tool (https://diagnostics.outlook.com).

 

Other posters are complaining of certificate popups for on-premises Exchange server environments, which could be an entirely different problem with their server or certificate configuration.

Hi,

 

We're experiencing the same issue as @Amir Jafarian 

 

Fully patched msi version of Outlook 2016. Connecting to Exchange online. Sporadic Digicert certificate warnings across the org. Seems to happen most commonly when waking a device from sleep. I'd agree it looks like issues checking the CRL but can't find the cause.

 

We've got tickets open with Microsoft and our proxy vendor but not getting anywhere fast. We've had our proxy solution in place for some time without issue and nothing has changed.

 

I'll post if we find anything.

[REG:117051515740234]

@James Chapman wrote:

can't find the cause.

 

our proxy solution


I'm not a betting man, but...

Thanks. I created a case as well and referenced yours. 

 

Found out something interesting. Everytime the revoked message appears, I have 2 Lync event in my application eventlog at exactly that timestamp:

 

Lync has enabled event logging.
Information about failed calls will be sent to the Windows event log.

 

and

 

LyncPlatform has enabled event logging.
Information about failed calls will be sent to the Windows event log.

 

Other than this, it seems totally random. Can stay away for weeks, then popup daily.

Just a quick note. We have the same issues, but no proxy in between. Doubt it is related to your (forward) proxy, or did you mean reverse?

Opened a 2nd ticket for Outlook since MS support always points fingers back and forth (117052515798731). Still getting no where and they've already quit trying to try and support the ticket since we are unable to reproduce the issue on command.

 

Note, we have tried applying the "workarounds" by suppressing the prompt in IE and Outlook (HKCU\software\policies\microsoft\office\16.0\outlook\security\usecrlchasing Value=2) but still doesn't seem to work. 

 

Only solution so far is to roll people back to Office 2013.