Friday, March 29, 2013

Cannot request a certificate and Error 1722: The RPC server is unavailable

RPC errors can be ugly and are often not that easy to identify. In the last months I had two Windows PKI Installations where I ran into the error 1722 RPC server not available. In both cases the Windows CA was up and running but I could not enroll or autoenroll certificates. So I check the firewall rules, the CA server time and date and I used certutil.exe -ping CAhostname to verify RPC network communication.

I ran certutil -ping one time with the netbios name of the CA and all worked. That's why no one had an issued with the machine before for file transfer or a ping with the netbios name.


C:\system\>certutil -ping win5011
Connecting to win5011 ...
Server "AAA Frontoso R3" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.


But the certutil -ping for the full qualified hostname failed.


C:\system\adhc>certutil -ping win5011.frontoso.com
Connecting to win5011.frontoso.com ...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722)
CertUtil: The RPC server is unavailable.


So it turned out that in both cases the client used a non-MS DNS server for the Active Directory environment and the FQDN name of the CA server was incorrectly configured there. After adjusting the IP address in DNS certutil -ping with the FQDN name worked and the certificate enrollment as well.

Ease Your Life when using Openssl s_client

I am really a big fan of openssl for certificate and network communication troubleshooting. And I am using it most of time from a Windows system.
I use the openssl s_client command very often to verify the network connectivity to a web or application server and to troubleshoot certificate errors in applications.

Openssl s_client gives out a lot of valuable information, but for inspecting the certificate you have first to transfer it into the correct file format. That should be easier to do. :-)

Example: openssl s_client -connect www.google.com:443



Loading 'screen' into random state - done
CONNECTED(00000128)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgDCCAumgAwIBAgIKO6d8eAAAAACBeTANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzAzMTMxMzUyNDJaFw0xMzA2MDcxOTQzMjda
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw53d3cu
Z29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzhYmBbH1F/Es
0HQevxU1WnQ+08bGZS615oiYVxxl2D74Nf4WbQRuXs6iju+RLOFrNAKgOPtQ8DLw
zo/ln9yzzm1iXGQJa8lOScTMdTg/4UQAQjJ5F8fYZr8zAdQbur/BQ5YSiyVqLO0t
N3IeezSvYC9r5SwSMLmnEqXCIa5B8sECAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUdfF5NV20rqEcyl3mVAxqB7bE
2JkwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ
oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY
MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVy
bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB
Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBBQUA
A4GBAKD8fqndlHcfvIHSXo5R/ehNsRXkyinvxwG4r1oMuO60c1KRV0DB22Mvqjp5
vn4nnkYfiVoQv/LlsIBy48is9jKB5AYyPq5R3LSrn7iheYlGY1omSZkdmHDBLtcl
+TtjTtz444O+7dYZAM0GyUdf/3HUoebs949KIu2Cg5QS8INZ
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2103 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
[cut]

Information about the validity (start,end), the server certificate thumbprint are not displayed. In the past I copied the lines from BEGIN CERTIFICATE to END CERTIFICATE into a text file using Notepad and I saved the file as cert1.cer. Then I could double-click the file in Windows Explorer and I had a nice interface to search through all attributes. Last week I figured out a more convenient way to do that. You can redirect the entire openssl s_client output into a cert1.cer file and the Windows Certificate Wizard is smart enough to read just the certificate from all the result data.

openssl s_client -connect www.google.com:443 > cert1.cer

Now you have a nice looking graphical interface to go through all the certificate information.