KB0015 - Offline PSU server has slow dashboards

KB0015 - Offline PSU server has slow dashboards

Disclaimer

Please be careful with changing any settings on your server around the Certificate Revocation List. You should only do this if you know what you are doing. Read the related Github articles (linked below) in their entirety.

Symptom

PSU servers that are disconnected from the internet (offline) have slow dashboard start-up times.

Root Cause

PowerShell Core is attempting to download the Certificate Revocation List from Microsoft and is timing out

Related Links


Workaround #1 (confirmed)

You can reduce the timeout value for the Revocation List check to 1 second by modifying the registry keys per below PowerShell script. After applying, restart the PowerShell Universal service or IIS web site.

Only enable these settings if your machine isn't exposed to the Internet or doesn't have access to a Certificate Revocation List! Please also keep in mind that this is not a global solution. The problem with CRL checking is different from application to application, from server to server! Please also always think about how to provide your servers with the latest root certificates as well as an up-to-date Certificate Revocation List.

# Create the keys if missing 
If((Test-Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine') -eq $false ) { New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine' -Force -ErrorAction SilentlyContinue }
If((Test-Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config') -eq $false ) { New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config' -Force -ErrorAction SilentlyContinue }

# Set Timeout values to 1 second (1000 ms)
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config" -Name ChainUrlRetrievalTimeoutMilliseconds -Value 1000 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config" -Name ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds -Value 1000 -PropertyType DWORD -Force

Workaround #2 (unconfirmed)



    • Related Articles

    • KB0003 - Slow Endpoints and TLS Settings

      Be advised that if the TLS settings on a Windows Server are modified, this can result in a severe performance degradation Symptom #1 In the Event Viewer (System Log) there are errors with source Schannel indicating that a "fatal error that occurred ...
    • KB0013 - Moving PSU to another server

      Below are Adam's comments on this topic from August 2nd, 2022: The configuration for PowerShell Universal, including the license, is stored as PS1 files in the repository directory. https://docs.powershelluniversal.com/config/repository We recommend ...
    • KB0011 - Are licenses different between Production, QA and Test/Development servers?

      Update January 24th, 2023 Adam recently summarized the Developer's license per below: The only real limitation on the developer license is that it cannot be accessed remotely. The server is only available on loopback when using the dev license. If ...
    • KB0074 - Connecting to PSU API w/Windows Auth

      Scope This article applies only to PSU environments where Windows Authentication[1] is enabled and known to be working[2]. Problem You are not able to interact with the PSU instance using the Invoke-WebRequest PowerShell cmdlet even though logging in ...
    • KB0014 - Enterprise versus per-server licensing FAQ

      Below are some questions commonly asked about the benefits of purchasing an Enterprise license vs. individual per-server licenses. Q: What is the benefit of an Enterprise license vs. a Per Server license? A: The Enterprise license allows an unlimited ...