Godaddy Cert, Exchange 2013 Enterprise, NO PROXY, Revocation Check Failed

Really, REALLY frustrated with this. So I done extensive research and none of the articles I have looked at has fixed the issue. Exchange 2013 running on Windows Server 2012

I have run get-exchangecertificate -server "servername" Documented the thumbprint

enable-exchangecertificate - server "servername" -thumbprint "

No go

I have no proxy server

I have a juniper firewall and setup a MIP and policies to allow 443, 25 and 80 to go to my CAS server. 

When I put the machine in the public, it works fine.  In other words, no firewall open to everyone on the web.  I'm thinking there is some port that needs to be opened to have the cert revocation work.

Here is the dump of my certutil -verify -urlfetch.

PS C:\sysadmin> certutil -urlfetch -verify webmail.mydomain.com.crt
Issuer:
    SERIALNUMBER=07969287
    CN=Go Daddy Secure Certification Authority
    OU=http://certificates.godaddy.com/repository
    O=GoDaddy.com, Inc.
    L=Scottsdale
    S=Arizona
    C=US
  Name Hash(sha1): 70292276537f1abc8fd53c9484e914cb762a052a
  Name Hash(md5): 042d5597d3d5978836f3cc27bc59f931
Subject:
    CN=webmail.mydomain.com
    OU=Domain Control Validated
  Name Hash(sha1): be557be1c137c978cecf6d1606a078f0ba75be6e
  Name Hash(md5): 0a63e2b3f2bb7f91e01ef58b983fa711
Cert Serial Number: 07887e2158c42d

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 327 Days, 2 Hours, 40 Minutes, 58 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 327 Days, 2 Hours, 40 Minutes, 58 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposit
ry, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  NotBefore: 3/18/2013 2:49 PM
  NotAfter: 3/15/2014 8:46 PM
  Subject: CN=webmail.mydomain.com, OU=Domain Control Validated
  Serial: 07887e2158c42d
  SubjectAltName: DNS Name=webmail.mydomain.com, DNS Name=www.webmail.mydomain.com, DNS Name=aas-ex-cas
01.apex.prod, DNS Name=APEX.PROD, DNS Name=mydomain.com, DNS Name=AutoDiscover.APEX.PROD, DNS Name=AutoDiscover
mydomain.com, DNS Name=webmail.apex.prod
  2d f3 08 88 cd f7 69 a3 40 6b ed 8a 76 2c 8a 3c c6 6d 2e 6d
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt

  ----------------  Certificate CDP  ----------------
  Expired "Base CRL (0c)" Time: 0
    [0.0] http://crl.godaddy.com/gds1-87.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Expired "OCSP" Time: 0
    [0.0] http://ocsp.godaddy.com/

  --------------------------------
    CRL (null):
    Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, LLC", L=Scottsda
e, S=Arizona, C=US
    ThisUpdate: 3/18/2013 4:02 PM
    NextUpdate: 3/18/2013 10:02 PM
    39 7b 2a 5f 78 d5 36 62 2c eb 50 6a cd 39 6c 31 dc 90 e4 dd
  Issuance[0] = 2.16.840.1.114413.1.7.23.1
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 11/15/2006 7:54 PM
  NotAfter: 11/15/2026 7:54 PM
  Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposi
ory, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  Serial: 0301
  7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  Verified "Base CRL" Time: 0
    [0.0] http://certificates.godaddy.com/repository/gdroot.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Expired "OCSP" Time: 0
    [0.0] http://ocsp.godaddy.com

  --------------------------------
    CRL (null):
    Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
    ThisUpdate: 4/26/2012 2:03 PM
    NextUpdate: 4/26/2013 2:03 PM
    d2 73 ad 70 39 95 10 c4 f1 7f d5 0f d7 8c 4f 2c 11 c7 61 a1
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 6/29/2004 11:06 AM
  NotAfter: 6/29/2034 11:06 AM
  Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Serial: 00
  27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

Exclude leaf cert:
  83 1c c7 85 83 73 fb 26 ce 79 12 ef 9d ef f1 d1 c3 c9 05 23
Full chain:
  b4 b3 8e 61 f8 e1 0b 9d 5a 46 67 69 83 40 35 68 27 00 1c a1
  Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/reposit
ry, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  NotBefore: 3/18/2013 2:49 PM
  NotAfter: 3/15/2014 8:46 PM
  Subject: CN=webmail.mydomain.com, OU=Domain Control Validated
  Serial: 07887e2158c42d
  SubjectAltName: DNS Name=webmail.mydomain.com, DNS Name=www.webmail.mydomain.com, DNS Name=aas-ex-cas
01.apex.prod, DNS Name=APEX.PROD, DNS Name=mydomain.com, DNS Name=AutoDiscover.APEX.PROD, DNS Name=AutoDiscover
mydomain.com, DNS Name=webmail.apex.prod
  2d f3 08 88 cd f7 69 a3 40 6b ed 8a 76 2c 8a 3c c6 6d 2e 6d
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-21468856
3)
------------------------------------
Revocation check skipped -- server offline
Cert is an End Entity certificate

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation bec
use the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

CertUtil: -verify command completed successfully.