Solved

SSL works with self-signed cert, fails with GoDaddy cert

Posted on 2007-12-05
4
919 Views
Last Modified: 2009-07-29
2003 R2 server running Exchange 2007
OWA is running successfully with self-signed cert.
When I tried to switch to the GoDaddy SAN cert I'd imported using the Exchange  Management Shell, OWA stopped working.  It was ok as soon as I switched back to the self-signed cert.  

So, I created a 2nd website, just to test, on the same server running as follows:
 HTTP:  port  99
 HTTPS:  port 999

Both sites are running on all available IP addresses with no host restrictions.

HTTP works fine on port 99.  HTTPS works fine on port 999, so long as I use the self-signed cert.

As soon as I switch to the GoDaddy cert HTTPS stops working for that website.  I get the following error in IE:

"Internet Explorer cannot display the webpage
   
   Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address. "

The self-signed cert and the GoDaddy cert both serve the same DNS name.  In other words, it's not a host name mismatch.  Even if it were, I'd expect the cert to be presented with a warning rather than not be presented to the browser at all.

A packet trace shows a successful 3-way handshake to set up a TCP connection on port 999, which is subsequently shut down gracefully (from a TCP perspective) with a FIN, FIN-ACK sequence.  Something is going on at the application level.

As soon as I switch back to the self-signed cert, it starts working again.

I have successfully imported the GoDaddy intermediate cert using MMC, and it shows up in the Intermediate Certification Authorities certificate list.

I did create the CSR for this cert on one machine (which now has apparently unrelated IIS issues) with the Exchange  Management Shell and originally imported it on that box.  I exported it from there as a PFX, including the private key, and successfully imported it to the new server (where I'm currently having problems) with the Exchange Management Shell.  There were no errors on the certificate import in the shell.

Any ideas why IIS doesn't like this cert?
0
Comment
Question by:jaredcall
  • 2
  • 2
4 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
Comment Utility
Why are you trying to use non-standard ports?
Exchange is pretty hard coded to use port 80 and 443, trying to use non standard ports will usually fail.

Have you tested the certificate on another machine? It is not unusual to get suspect certificates form suppliers which means they have to be reissued.

Simon.
0
 
LVL 2

Author Comment

by:jaredcall
Comment Utility
I'm using non-standard ports because the standard ports are in use by OWA, which exhibits the same symptoms if I tell it to use this cert.

 I did test it on another machine, and happened to choose a machine with other IIS issues causing it not to work even over HTTP, but that's another problem.

There is nothing indicative of a problem in the Event Log, nor in the HTTP error logs.  In fact, nothing shows up in the error or access logs at all for the failed requests.

I'll test on another machine and see what happens.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
A broken SSL certificate will not log anything because the secure channel isn't created. Therefore I am not surprised that you are not seeing anything in the logs.

Simon.
0
 
LVL 2

Author Comment

by:jaredcall
Comment Utility
re-keyed the cert and all is well.  Never did figure out what was wrong with the originally issued one.

Thanks.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now