SSTP Windows VPN Client Error: The revocation function was unable to check revocation

If you are deploying SSTP VPN for Windows clients and get the error: “The revocation function was unable to check revocation because the revocation server was offline.”, you are most likely using your own internal PKI and the certificate used for SSTP does not have a Certificate Revocation List (CRL) accessible from the outside, so the client machine is failing checking whether or not the certificate has been revoked from the CA. If you simply want to bypass this, you can edit the registry on the client:

Disable CRL Checking on VPN Client

  1. Start Registry Editor (Regedit.exe)
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > Sstpsvc > Parameters
  3. On the Edit menu > New > DWORD (32-bit) Value > and then add the following registry value:
    Value Name: NoCertRevocationCheck
    Value Data: 1

In the following video I setup SSTP VPN almost from scratch in about 10 minutes. I did run into a snag while Windows complained about a CN (common name) mismatch while it was actually a Subject Alternative Name DNS mismatch, not CN. I inadvertently proved that SSTP relies on the SAN name in the certificate. After 41 years of being in business they still don’t get their error messages right.

If you’re wondering why I’m specifying port 444 instead of leaving the port blank or entering 443, I’m performing port translation (PAT) on the firewall since I’m already using https for something else.

Source: for the NoCertRevocationCheck reg string

Disqus Comments Loading...

Recent Posts

Bittorrent IP Blocklists

In addition to using a VPN service, as an extra precaution I've been using the blocklist feature of my bittorrent… Read More

October 26, 2019 3:31 pm

FreeNAS Error Creating Pool

command '('gpart', 'create', '-s', 'gpt', '/dev/da8')' returned non-zero exit status 1. If you get this error while trying to create… Read More

June 7, 2019 3:44 pm

Change Grub Default Boot Entry on Linux Mint

I'm dual booting Windows and Linux Mint on my laptop. The grub default is to boot into Linux Mint, however… Read More

April 23, 2019 7:45 pm

How to Reset Secure Channel On Active Directory Domain Controller

When you're a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation… Read More

April 21, 2019 8:14 am

Run Systemd Script Before System Shutdown

I tried to retain the NGINX FastCGI cache and have it persist across system reboots instead of being ephemeral by… Read More

April 20, 2019 10:14 am

Learn Systemctl Usage to Manage Systemd Service in Linux

Systemd is new service manager for Linux. It's a replacement for all previous init systems (SysV/SysVinit & Ubuntu's Upstart) and… Read More

April 20, 2019 7:55 am