Solved

SSL will no longer work after migration

Posted on 2004-08-04
19
208 Views
Last Modified: 2013-12-04
I transferred a web site from one Windows 2000 box running IIS 5.0 to another running the same software. I used the Microsoft Management Console to export the site's SSL certificate to a .pfx file. I then imprted that .pfx file into the new box also using MMC. Finally I assigned that certificate to the website in IIS.

IIS says that the certificate is valid and that my private key corresponds. However, when I go to the site over the Internet, I get a "Page Not Found" error whenever I use https://. This didn't happen on the old server.

I've tried everything:

1. I made sure that port 443 was indicated for SSL in the website's properties.
2. I stopped and started both the web site, IIS and Web Services
3. I uninstalled and reinstalled sspifilt.dll on the server
4. I rebooted the machine.
5. I uninstalled and re-installed the certificate AND test certificates available from Thawte.

Nothing works.

What other things should I check to get this working? Thanks for any help. I need it urgently.
0
Comment
Question by:cbeaudry1
  • 10
  • 5
  • 2
  • +1
19 Comments
 
LVL 7

Expert Comment

by:msice
Comment Utility
Did you make sure to require SSL on the site under security at the bottom? If not https will provide that error.
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
Also if you changed the computer did you change the IP address? If so the router might need to be changed to point to the new webservers IP address for port 443.
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
Or just use the old webservers IP address for the new webserver.
0
 

Author Comment

by:cbeaudry1
Comment Utility
The IP address was unbound from the first server and then bound again to the new server. The site shows up normally without SSL. Secured connections should not be required to access the entire site. Only the ordering process needs it. In the site's properties (IIS5.0), there is no check box to "require" SSL. The only field in the website tab refers to the SSL's port number and that's set to 443.
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
In IIS right click the folder that requires the SSL "the ordering process folder" and go to Properties. Select the Directory Security tab. At the bottom click edit and require SSL.
0
 

Author Comment

by:cbeaudry1
Comment Utility
The ordering process is already forced through a secured layer by VBscript through an include on those particular pages. The problem is that the SSL doesn't work at all on the site. http://www.site.com shows up but https://www.site.com does not even though it did on the old server. The certificate is the same, and so are the settings. The only difference between the two is that the new server also runs SQL and Cold Fusion.
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
In IIS right click the site that requires the SSL and go to Properties. Select the Directory Security tab. At the bottom click server certificate and go therough the setup if you have done this, click edit and require SSL. If you havent done these steps the SSL is not turned on for the site!
0
 

Author Comment

by:cbeaudry1
Comment Utility
That check box requires that all connections be done through SSL. If that box is checked, then all users are forced to view the site through https://. This is not required for this site. The SSL should be accessible through links that include https:// but it isn't. That check box is only used when all pages must be displayed through the SSL.

Just for the heck of it, I did check the box. When I went to the homepage without a secured connection, an error appeared saying that the page could only be viewed through SSL. Because SSL doesn't work, the page didn't display. Again, that check box is only used to force users to see the site through SSL, not to activate SSL itself.
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
You either use SSL in a given folder or you dont not both! So look at where the https links are pointing to (what folder) and in IIS right click that folder that requires the SSL "probly the ordering process folder" and go to Properties. Select the Directory Security tab. At the bottom click edit and require SSL for that folder.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:msice
Comment Utility
Oh you can also do this for indivisual files so if there is a order.htm file or something like that, you can set just that file for SSL using the same process except the tab is called File Security.
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
This is from this site http://www.microsoft.com/windows2000/en/server/iis/htm/core/iiectsc.htm?id=97

To enable client certificates

In the Internet Information Services snap-in, select a Web site, directory, or file, and open its property sheets.
If you have not previously obtained a server certificate, select the Directory Security property sheet, under Secure Communications, click Server Certificate. For more information, see Using the New Security Task Wizards.
If you have previously obtained a server certificate, select the Directory Security or File Security property sheet, then under Secure Communications, click Edit.
In the Secure Communications dialog box, select the Require secure channel (SSL) check box. Requiring a secure channel means that user cannot connect to this site without using a secure link (that is, the link's URL must begin with https://).
Under Client certificates select one of the following to enable client certificate authentication:
Accept client certificates Users can access the resource with a client certificate, but the certificate is not required.
Require client certificates The server will request a client certificate before connecting the user to the resource. Users without a valid client certificate will be denied access.
Ignore client certificates Users with or without a client certificate will be granted access.
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
Maybe it was set to "Ignore client certificates" - Users with or without a client certificate will be granted access. On the old Site.
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
Can you look at the old servers iss properties?
0
 

Author Comment

by:cbeaudry1
Comment Utility
The properties are set the same and are set to "ignore"
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
You should try importing the certificate through mmc. This is how I do it on IIS 5 and 6, and it always works.

http://searchsupport.verisign.com/content/kb/vs27348.html
0
 

Author Comment

by:cbeaudry1
Comment Utility
Porblem solved. It had nothing to do with either IIS or the certificate itself. After we dug through all the processes, we discovered that a piece of software called DigiChat was using port 443 even though it's not supposed to. Once we shut down the Java chat server and rebooted, the SSL started functioning.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Good Catch ;)

J
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
Comment Utility
Question PAQ'd
500 points refunded.

CetusMOD
Community Support Moderator
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now