Friday, March 29, 2013

Cannot request a certificate and Error 1722: The RPC server is unavailable

RPC errors can be ugly and are often not that easy to identify. In the last months I had two Windows PKI Installations where I ran into the error 1722 RPC server not available. In both cases the Windows CA was up and running but I could not enroll or autoenroll certificates. So I check the firewall rules, the CA server time and date and I used certutil.exe -ping CAhostname to verify RPC network communication.

I ran certutil -ping one time with the netbios name of the CA and all worked. That's why no one had an issued with the machine before for file transfer or a ping with the netbios name.

C:\system\>certutil -ping win5011
Connecting to win5011 ...
Server "AAA Frontoso R3" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.

But the certutil -ping for the full qualified hostname failed.

C:\system\adhc>certutil -ping
Connecting to ...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722)
CertUtil: The RPC server is unavailable.

So it turned out that in both cases the client used a non-MS DNS server for the Active Directory environment and the FQDN name of the CA server was incorrectly configured there. After adjusting the IP address in DNS certutil -ping with the FQDN name worked and the certificate enrollment as well.

Ease Your Life when using Openssl s_client

I am really a big fan of openssl for certificate and network communication troubleshooting. And I am using it most of time from a Windows system.
I use the openssl s_client command very often to verify the network connectivity to a web or application server and to troubleshoot certificate errors in applications.

Openssl s_client gives out a lot of valuable information, but for inspecting the certificate you have first to transfer it into the correct file format. That should be easier to do. :-)

Example: openssl s_client -connect

Loading 'screen' into random state - done
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
No client certificate CA names sent
SSL handshake has read 2103 bytes and written 332 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE

Information about the validity (start,end), the server certificate thumbprint are not displayed. In the past I copied the lines from BEGIN CERTIFICATE to END CERTIFICATE into a text file using Notepad and I saved the file as cert1.cer. Then I could double-click the file in Windows Explorer and I had a nice interface to search through all attributes. Last week I figured out a more convenient way to do that. You can redirect the entire openssl s_client output into a cert1.cer file and the Windows Certificate Wizard is smart enough to read just the certificate from all the result data.

openssl s_client -connect > cert1.cer

Now you have a nice looking graphical interface to go through all the certificate information.