Terri Donahue @ OrcsWeb was helping a client with an SSL problem recently and wrote up this nice guest post below to help anyone else who may be in a similar troubleshooting situation.
————————————————————-
I encountered a very interesting SSL issue while resolving a problem for a client this week. An SSL certificate was installed on a 3 node web farm but only worked on the initial node where the certificate was installed. All intermediate and root certificates were installed correctly and no errors were reported with the certificate itself. When the expiring certificate was bound to the website, the site would load as expected. As soon as the new certificate, issued by a different CA, was installed, the website started returning an error: “Cannot find server or DNS error”. This was a very descriptive error and pointed right to the issue, right? :) There was nothing logged in Event Viewer or the local web logs to aid in troubleshooting this issue.
Enter Microsoft’s SSL Diagnostic utility. There are multiple versions that can be downloaded to aid in resolving issues like this one.
The utility queries the metabase and returns all pertinent information related to the website including SSL certificates. Here is sample output that the utility creates:
[ W3SVC/1574480769 ]
ServerComment = domain.com
ServerAutoStart = True
ServerState = Server started
#Impersonated server account
SSLCertHash = b4 be fd 64 83 b8 92 50 df 36 21 5d e1 bc f4 f4 cd 2b 96 14
SSLStoreName = MY
#CertName = www.domain.com
#You have a private key that corresponds to this certificate
#ContainerName='{EC491630-C400-4AAF-B644-EFEB4BFDC9F3}’
#ProvName=’Microsoft RSA SChannel Cryptographic Provider’ ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: O=www.domain.com, OU=Domain Control Validated, CN=www.domain.com
#Issuer: C=US, S=Arizona, L=Scottsdale, O=”Starfield Technologies, Inc.”,
OU=http://certificates.starfieldtech.com/repository, CN=Starfield Secure Certification Authority, SERIALNUMBER=10688435
#Validity: From 11/14/2011 5:00:36 PM To 11/14/2012 5:00:36 PM
CertVerifyCertificateChainPolicy succeeded
SecureBindings = 192.168.1.1:443:
[ W3SVC/16 ]
ServerComment = test.domain.com
ServerAutoStart = True
ServerState = Server started
#Impersonated server account
SSLCertHash = 0d 17 d0 4f bd 92 4f 55 27 80 ea 20 db a1 4d 97 97 53 3d 47
SSLStoreName = MY
#CertName = test.domain.com
#You have a private key that corresponds to this certificate
#ContainerName='{D2188304-709C-4B30-86A0-CD3BD8B247EF}’
#ProvName=’Microsoft RSA SChannel Cryptographic Provider’ ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: O=test.domain.com, OU=Domain Validated, OU=Go to https://www.thawte.com/repository/index.html, OU=Thawte SSL123 certificate, CN=test.domain.com
#Issuer: C=ZA, S=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA, E=server-certs@thawte.com
#Validity: From 1/3/2006 11:43:37 AM To 1/3/2008 4:14:07 AM
#WARNING:CertVerifyCertificateChainPolicy returned error -2146762495(0x800b0101)
SecureBindings = 127.0.0.1:443:
As you can see from the output, the www.domain.com site shows no errors and the test.domain.com displays that there is a problem with the certificate chain. Using this information, you can then work toward correcting the certificate chain problem to get your test.domain.com SSL certificate working.
The www.domain.com certificate is the one that I was troubleshooting at the time. As you can see from the output, the certificate was valid and should have worked. Within the SSL Diagnostics application, you can right click on a website listed and choose to Simulate SSL Handshake. This will test the actual process of accessing and receiving data from a site that is using SSL. Finally, I was able to get an actual error and start researching the resolution of the problem rather than looking at a generic meaningless error:
System time: Tue, 15 Nov 2011 21:21:55 GMT
Connecting to 66.129.67.156:443
Connected
Handshake: 42 bytes sent
#WARNING:Handshake: unspecified error receiving data
#WARNING:Handshake: 0x80090304 (-2146893052) error
Using this information, I was able to Google the error and find the solution to my problem.
As we all know, SSL is very important and troubleshooting certificate issues can be difficult. Microsoft’s SSL Diagnostics utility can provide the added assistance that we need to quickly and efficiently resolve SSL errors. Check it out the next time you run into an SSL issue that is stumping you.
Terri Donahue
Support Specialist
MCSE 2003 + Security
OrcsWeb Managed Hosting Solutions
Remarkable Service. Remarkable Support.
www.orcsweb.com
————————————————————-
Happy Hosting!
More from my site
Great Pointers For Analyzing Memory Crash Dumps
Installing and configuring Bonobo GIT Server for Windows (IIS7) for remote IIS push capability (Guest Post)- Resolving a “There is a duplicate ‘system.web.extensions/scripting/scriptResourceHandler’ section defined” Error
Basic IIS Performance Statistics- Implementing Application Initialization on IIS 7.5
Hi, Terri!
I have one issue yet. This error “WARNING:CertVerifyCertificateChainPolicy returned error” remains and when I run “Simulate SSL Handshake” the result is “Final handshake: 23 bytes sent successfully”.
Any other tip, please?!
Hi Marcelo,
Certificate chain issues can still result in a successful handshake between the client and the server. If your client already has enough information about the certificate issuer or can successfully acquire that information when browsing the site, the connection can be made without getting an error. The best way to resolve certificate chains is to use a site that is designed to locate missing intermediate certificates and you can then contact the vendor to get those certificates and install them on your web server. The site I use to validate certificates after installing them is provided by SSL Checker: http://www.sslshopper.com/ssl-checker.html. Enter the domain name that is failing and click Check SSL. This will determine if your certificate chain is valid and if not, returns the missing certificate chain name. Once you have that information, you can contact support for the issuer of your SSL certificate and should be able to quickly resolve the chain error.
Thanks a lot for your great post. I have been searching for such information for a really long time. Not everything is completely clear to me, but it is definitely interesting and worth reading.