SSL works with self-signed cert, fails with GoDaddy cert
Posted on 2007-12-05
2003 R2 server running Exchange 2007
OWA is running successfully with self-signed cert.
When I tried to switch to the GoDaddy SAN cert I'd imported using the Exchange Management Shell, OWA stopped working. It was ok as soon as I switched back to the self-signed cert.
So, I created a 2nd website, just to test, on the same server running as follows:
HTTP: port 99
HTTPS: port 999
Both sites are running on all available IP addresses with no host restrictions.
HTTP works fine on port 99. HTTPS works fine on port 999, so long as I use the self-signed cert.
As soon as I switch to the GoDaddy cert HTTPS stops working for that website. I get the following error in IE:
"Internet Explorer cannot display the webpage
Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address. "
The self-signed cert and the GoDaddy cert both serve the same DNS name. In other words, it's not a host name mismatch. Even if it were, I'd expect the cert to be presented with a warning rather than not be presented to the browser at all.
A packet trace shows a successful 3-way handshake to set up a TCP connection on port 999, which is subsequently shut down gracefully (from a TCP perspective) with a FIN, FIN-ACK sequence. Something is going on at the application level.
As soon as I switch back to the self-signed cert, it starts working again.
I have successfully imported the GoDaddy intermediate cert using MMC, and it shows up in the Intermediate Certification Authorities certificate list.
I did create the CSR for this cert on one machine (which now has apparently unrelated IIS issues) with the Exchange Management Shell and originally imported it on that box. I exported it from there as a PFX, including the private key, and successfully imported it to the new server (where I'm currently having problems) with the Exchange Management Shell. There were no errors on the certificate import in the shell.
Any ideas why IIS doesn't like this cert?