SSL works with self-signed cert, fails with GoDaddy cert

Posted on 2007-12-05
Medium Priority
Last Modified: 2009-07-29
2003 R2 server running Exchange 2007
OWA is running successfully with self-signed cert.
When I tried to switch to the GoDaddy SAN cert I'd imported using the Exchange  Management Shell, OWA stopped working.  It was ok as soon as I switched back to the self-signed cert.  

So, I created a 2nd website, just to test, on the same server running as follows:
 HTTP:  port  99
 HTTPS:  port 999

Both sites are running on all available IP addresses with no host restrictions.

HTTP works fine on port 99.  HTTPS works fine on port 999, so long as I use the self-signed cert.

As soon as I switch to the GoDaddy cert HTTPS stops working for that website.  I get the following error in IE:

"Internet Explorer cannot display the webpage
   Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address. "

The self-signed cert and the GoDaddy cert both serve the same DNS name.  In other words, it's not a host name mismatch.  Even if it were, I'd expect the cert to be presented with a warning rather than not be presented to the browser at all.

A packet trace shows a successful 3-way handshake to set up a TCP connection on port 999, which is subsequently shut down gracefully (from a TCP perspective) with a FIN, FIN-ACK sequence.  Something is going on at the application level.

As soon as I switch back to the self-signed cert, it starts working again.

I have successfully imported the GoDaddy intermediate cert using MMC, and it shows up in the Intermediate Certification Authorities certificate list.

I did create the CSR for this cert on one machine (which now has apparently unrelated IIS issues) with the Exchange  Management Shell and originally imported it on that box.  I exported it from there as a PFX, including the private key, and successfully imported it to the new server (where I'm currently having problems) with the Exchange Management Shell.  There were no errors on the certificate import in the shell.

Any ideas why IIS doesn't like this cert?
Question by:jaredcall
  • 2
  • 2
LVL 104

Accepted Solution

Sembee earned 1500 total points
ID: 20415698
Why are you trying to use non-standard ports?
Exchange is pretty hard coded to use port 80 and 443, trying to use non standard ports will usually fail.

Have you tested the certificate on another machine? It is not unusual to get suspect certificates form suppliers which means they have to be reissued.


Author Comment

ID: 20415871
I'm using non-standard ports because the standard ports are in use by OWA, which exhibits the same symptoms if I tell it to use this cert.

 I did test it on another machine, and happened to choose a machine with other IIS issues causing it not to work even over HTTP, but that's another problem.

There is nothing indicative of a problem in the Event Log, nor in the HTTP error logs.  In fact, nothing shows up in the error or access logs at all for the failed requests.

I'll test on another machine and see what happens.
LVL 104

Expert Comment

ID: 20416314
A broken SSL certificate will not log anything because the secure channel isn't created. Therefore I am not surprised that you are not seeing anything in the logs.


Author Comment

ID: 20425539
re-keyed the cert and all is well.  Never did figure out what was wrong with the originally issued one.


Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I am posting this in case anyone runs into similar issues that I did, this may save you a lot of grief: Condition: 1. Your NetBIOS domain name contains an ampersand " & " character.  (e.g. AT&T) 2. You've tried to run any Microsoft installation…
There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question