Link to home
Start Free TrialLog in
Avatar of cbeaudry1
cbeaudry1

asked on

SSL will no longer work after migration

I transferred a web site from one Windows 2000 box running IIS 5.0 to another running the same software. I used the Microsoft Management Console to export the site's SSL certificate to a .pfx file. I then imprted that .pfx file into the new box also using MMC. Finally I assigned that certificate to the website in IIS.

IIS says that the certificate is valid and that my private key corresponds. However, when I go to the site over the Internet, I get a "Page Not Found" error whenever I use https://. This didn't happen on the old server.

I've tried everything:

1. I made sure that port 443 was indicated for SSL in the website's properties.
2. I stopped and started both the web site, IIS and Web Services
3. I uninstalled and reinstalled sspifilt.dll on the server
4. I rebooted the machine.
5. I uninstalled and re-installed the certificate AND test certificates available from Thawte.

Nothing works.

What other things should I check to get this working? Thanks for any help. I need it urgently.
Avatar of msice
msice

Did you make sure to require SSL on the site under security at the bottom? If not https will provide that error.
Also if you changed the computer did you change the IP address? If so the router might need to be changed to point to the new webservers IP address for port 443.
Or just use the old webservers IP address for the new webserver.
Avatar of cbeaudry1

ASKER

The IP address was unbound from the first server and then bound again to the new server. The site shows up normally without SSL. Secured connections should not be required to access the entire site. Only the ordering process needs it. In the site's properties (IIS5.0), there is no check box to "require" SSL. The only field in the website tab refers to the SSL's port number and that's set to 443.
In IIS right click the folder that requires the SSL "the ordering process folder" and go to Properties. Select the Directory Security tab. At the bottom click edit and require SSL.
The ordering process is already forced through a secured layer by VBscript through an include on those particular pages. The problem is that the SSL doesn't work at all on the site. http://www.site.com shows up but https://www.site.com does not even though it did on the old server. The certificate is the same, and so are the settings. The only difference between the two is that the new server also runs SQL and Cold Fusion.
In IIS right click the site that requires the SSL and go to Properties. Select the Directory Security tab. At the bottom click server certificate and go therough the setup if you have done this, click edit and require SSL. If you havent done these steps the SSL is not turned on for the site!
That check box requires that all connections be done through SSL. If that box is checked, then all users are forced to view the site through https://. This is not required for this site. The SSL should be accessible through links that include https:// but it isn't. That check box is only used when all pages must be displayed through the SSL.

Just for the heck of it, I did check the box. When I went to the homepage without a secured connection, an error appeared saying that the page could only be viewed through SSL. Because SSL doesn't work, the page didn't display. Again, that check box is only used to force users to see the site through SSL, not to activate SSL itself.
You either use SSL in a given folder or you dont not both! So look at where the https links are pointing to (what folder) and in IIS right click that folder that requires the SSL "probly the ordering process folder" and go to Properties. Select the Directory Security tab. At the bottom click edit and require SSL for that folder.
Oh you can also do this for indivisual files so if there is a order.htm file or something like that, you can set just that file for SSL using the same process except the tab is called File Security.
This is from this site http://www.microsoft.com/windows2000/en/server/iis/htm/core/iiectsc.htm?id=97

To enable client certificates

In the Internet Information Services snap-in, select a Web site, directory, or file, and open its property sheets.
If you have not previously obtained a server certificate, select the Directory Security property sheet, under Secure Communications, click Server Certificate. For more information, see Using the New Security Task Wizards.
If you have previously obtained a server certificate, select the Directory Security or File Security property sheet, then under Secure Communications, click Edit.
In the Secure Communications dialog box, select the Require secure channel (SSL) check box. Requiring a secure channel means that user cannot connect to this site without using a secure link (that is, the link's URL must begin with https://).
Under Client certificates select one of the following to enable client certificate authentication:
Accept client certificates Users can access the resource with a client certificate, but the certificate is not required.
Require client certificates The server will request a client certificate before connecting the user to the resource. Users without a valid client certificate will be denied access.
Ignore client certificates Users with or without a client certificate will be granted access.
Maybe it was set to "Ignore client certificates" - Users with or without a client certificate will be granted access. On the old Site.
Can you look at the old servers iss properties?
The properties are set the same and are set to "ignore"
You should try importing the certificate through mmc. This is how I do it on IIS 5 and 6, and it always works.

http://searchsupport.verisign.com/content/kb/vs27348.html
Porblem solved. It had nothing to do with either IIS or the certificate itself. After we dug through all the processes, we discovered that a piece of software called DigiChat was using port 443 even though it's not supposed to. Once we shut down the Java chat server and rebooted, the SSL started functioning.
Good Catch ;)

J
ASKER CERTIFIED SOLUTION
Avatar of CetusMOD
CetusMOD
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial