ASPNetFAQ.com: What is ASP.NET?

Technology posts on ASP.NET, IIS, Windows (+ a little Linux), Cloud Servers, Hosting, and more!
  • Blog Home
Search the site...

Troubleshooting SSL in IIS

Tweet
Share
0 Shares

Terri Donahue @ OrcsWeb was helping a client with an SSL problem recently and wrote up this nice guest post below to help anyone else who may be in a similar troubleshooting situation.

————————————————————-
I encountered a very interesting SSL issue while resolving a problem for a client this week. An SSL certificate was installed on a 3 node web farm but only worked on the initial node where the certificate was installed. All intermediate and root certificates were installed correctly and no errors were reported with the certificate itself. When the expiring certificate was bound to the website, the site would load as expected. As soon as the new certificate, issued by a different CA, was installed, the website started returning an error: “Cannot find server or DNS error”. This was a very descriptive error and pointed right to the issue, right? :) There was nothing logged in Event Viewer or the local web logs to aid in troubleshooting this issue.

Enter Microsoft’s SSL Diagnostic utility. There are multiple versions that can be downloaded to aid in resolving issues like this one.

The utility queries the metabase and returns all pertinent information related to the website including SSL certificates. Here is sample output that the utility creates:

[ W3SVC/1574480769 ]
ServerComment = domain.com
ServerAutoStart = True
ServerState = Server started
#Impersonated server account
SSLCertHash = b4 be fd 64 83 b8 92 50 df 36 21 5d e1 bc f4 f4 cd 2b 96 14
SSLStoreName = MY
#CertName = www.domain.com
#You have a private key that corresponds to this certificate
#ContainerName='{EC491630-C400-4AAF-B644-EFEB4BFDC9F3}’
#ProvName=’Microsoft RSA SChannel Cryptographic Provider’ ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: O=www.domain.com, OU=Domain Control Validated, CN=www.domain.com
#Issuer: C=US, S=Arizona, L=Scottsdale, O=”Starfield Technologies, Inc.”,
OU=http://certificates.starfieldtech.com/repository, CN=Starfield Secure Certification Authority, SERIALNUMBER=10688435
#Validity: From 11/14/2011 5:00:36 PM To 11/14/2012 5:00:36 PM
CertVerifyCertificateChainPolicy succeeded
SecureBindings = 192.168.1.1:443:

[ W3SVC/16 ]
ServerComment = test.domain.com
ServerAutoStart = True
ServerState = Server started
#Impersonated server account
SSLCertHash = 0d 17 d0 4f bd 92 4f 55 27 80 ea 20 db a1 4d 97 97 53 3d 47
SSLStoreName = MY
#CertName = test.domain.com
#You have a private key that corresponds to this certificate
#ContainerName='{D2188304-709C-4B30-86A0-CD3BD8B247EF}’
#ProvName=’Microsoft RSA SChannel Cryptographic Provider’ ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: O=test.domain.com, OU=Domain Validated, OU=Go to https://www.thawte.com/repository/index.html, OU=Thawte SSL123 certificate, CN=test.domain.com
#Issuer: C=ZA, S=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA, E=server-certs@thawte.com
#Validity: From 1/3/2006 11:43:37 AM To 1/3/2008 4:14:07 AM
#WARNING:CertVerifyCertificateChainPolicy returned error -2146762495(0x800b0101)
SecureBindings = 127.0.0.1:443:

As you can see from the output, the www.domain.com site shows no errors and the test.domain.com displays that there is a problem with the certificate chain. Using this information, you can then work toward correcting the certificate chain problem to get your test.domain.com SSL certificate working.

The www.domain.com certificate is the one that I was troubleshooting at the time. As you can see from the output, the certificate was valid and should have worked. Within the SSL Diagnostics application, you can right click on a website listed and choose to Simulate SSL Handshake. This will test the actual process of accessing and receiving data from a site that is using SSL. Finally, I was able to get an actual error and start researching the resolution of the problem rather than looking at a generic meaningless error:

System time: Tue, 15 Nov 2011 21:21:55 GMT
Connecting to 66.129.67.156:443
Connected
Handshake: 42 bytes sent
#WARNING:Handshake: unspecified error receiving data
#WARNING:Handshake: 0x80090304 (-2146893052) error

Using this information, I was able to Google the error and find the solution to my problem.

As we all know, SSL is very important and troubleshooting certificate issues can be difficult. Microsoft’s SSL Diagnostics utility can provide the added assistance that we need to quickly and efficiently resolve SSL errors. Check it out the next time you run into an SSL issue that is stumping you.

Terri Donahue
Support Specialist
MCSE 2003 + Security

OrcsWeb Managed Hosting Solutions
Remarkable Service. Remarkable Support.
www.orcsweb.com

————————————————————-
Happy Hosting!

More from my site

  • Great Pointers For Analyzing Memory Crash DumpsGreat Pointers For Analyzing Memory Crash Dumps
  • Installing and configuring Bonobo GIT Server for Windows (IIS7) for remote IIS push capability (Guest Post)Installing and configuring Bonobo GIT Server for Windows (IIS7) for remote IIS push capability (Guest Post)
  • Resolving a “There is a duplicate ‘system.web.extensions/scripting/scriptResourceHandler’ section defined” ErrorResolving a “There is a duplicate ‘system.web.extensions/scripting/scriptResourceHandler’ section defined” Error
  • Basic IIS Performance StatisticsBasic IIS Performance Statistics
  • Implementing Application Initialization on IIS 7.5Implementing Application Initialization on IIS 7.5
Tweet
Share
0 Shares
Hosting, IIS, System Administration, Troubleshooting, Windows

4 comments on “Troubleshooting SSL in IIS”

  1. Marcelo Barreto says:
    April 11, 2012 at 4:30 pm

    Hi, Terri!

    I have one issue yet. This error “WARNING:CertVerifyCertificateChainPolicy returned error” remains and when I run “Simulate SSL Handshake” the result is “Final handshake: 23 bytes sent successfully”.

    Any other tip, please?!

  2. Terri Donahue says:
    April 11, 2012 at 5:52 pm

    Hi Marcelo,

    Certificate chain issues can still result in a successful handshake between the client and the server. If your client already has enough information about the certificate issuer or can successfully acquire that information when browsing the site, the connection can be made without getting an error. The best way to resolve certificate chains is to use a site that is designed to locate missing intermediate certificates and you can then contact the vendor to get those certificates and install them on your web server. The site I use to validate certificates after installing them is provided by SSL Checker: http://www.sslshopper.com/ssl-checker.html. Enter the domain name that is failing and click Check SSL. This will determine if your certificate chain is valid and if not, returns the missing certificate chain name. Once you have that information, you can contact support for the issuer of your SSL certificate and should be able to quickly resolve the chain error.

  3. Hattie Angelini says:
    June 18, 2012 at 1:38 pm

    Thanks a lot for your great post. I have been searching for such information for a really long time. Not everything is completely clear to me, but it is definitely interesting and worth reading.

Proverbs 19:20

"Get all the advice and instruction you can, so you will be wise the rest of your life."

A Note On WordPress Hosting

Our main focus is of course .NET, but with a mix of Linux, virtualization, and other technologies. But if you're really looking for the best WordPress hosting specifically, read my WordPress host review to save yourself hassle AND money!




Recent Posts

  • What makes good web hosting?
  • jQuery Mobile C# ASP.NET and N5 Networks Software Repository
  • Open Source Bug Tracking Software and the Orchard Project
  • ASP.NET Development with Dreamweaver MX: Visual QuickPro Guide
  • Kendo UI Sample, ASP.NET Ajax Tutorial & More

Tags

ASP.NET Automation centos CMS css cytanium Development/Coding Email gmail Hosting htaccess http https IIS javascript Learning Linux logparser MySQL nginx openssl OrcsWeb performance PowerShell redirect RHEL security server SherWeb smtp SQL/Databases ssl System Administration telnet terminal tip Troubleshooting Ubuntu virtualization Visual Studio web farm web hosting Windows windows server Wordpress

Categories

  • ASP.net development
  • Development/Coding
  • Hosting
  • IIS (Internet Information Services)
  • SQL/Databases
  • System Administration
  • Virtualization
(c) ASPNETFAQ.com