Solved

SSL works with self-signed cert, fails with GoDaddy cert

Posted on 2007-12-05
4
922 Views
Last Modified: 2009-07-29
2003 R2 server running Exchange 2007
OWA is running successfully with self-signed cert.
When I tried to switch to the GoDaddy SAN cert I'd imported using the Exchange  Management Shell, OWA stopped working.  It was ok as soon as I switched back to the self-signed cert.  

So, I created a 2nd website, just to test, on the same server running as follows:
 HTTP:  port  99
 HTTPS:  port 999

Both sites are running on all available IP addresses with no host restrictions.

HTTP works fine on port 99.  HTTPS works fine on port 999, so long as I use the self-signed cert.

As soon as I switch to the GoDaddy cert HTTPS stops working for that website.  I get the following error in IE:

"Internet Explorer cannot display the webpage
   
   Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address. "

The self-signed cert and the GoDaddy cert both serve the same DNS name.  In other words, it's not a host name mismatch.  Even if it were, I'd expect the cert to be presented with a warning rather than not be presented to the browser at all.

A packet trace shows a successful 3-way handshake to set up a TCP connection on port 999, which is subsequently shut down gracefully (from a TCP perspective) with a FIN, FIN-ACK sequence.  Something is going on at the application level.

As soon as I switch back to the self-signed cert, it starts working again.

I have successfully imported the GoDaddy intermediate cert using MMC, and it shows up in the Intermediate Certification Authorities certificate list.

I did create the CSR for this cert on one machine (which now has apparently unrelated IIS issues) with the Exchange  Management Shell and originally imported it on that box.  I exported it from there as a PFX, including the private key, and successfully imported it to the new server (where I'm currently having problems) with the Exchange Management Shell.  There were no errors on the certificate import in the shell.

Any ideas why IIS doesn't like this cert?
0
Comment
Question by:jaredcall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20415698
Why are you trying to use non-standard ports?
Exchange is pretty hard coded to use port 80 and 443, trying to use non standard ports will usually fail.

Have you tested the certificate on another machine? It is not unusual to get suspect certificates form suppliers which means they have to be reissued.

Simon.
0
 
LVL 2

Author Comment

by:jaredcall
ID: 20415871
I'm using non-standard ports because the standard ports are in use by OWA, which exhibits the same symptoms if I tell it to use this cert.

 I did test it on another machine, and happened to choose a machine with other IIS issues causing it not to work even over HTTP, but that's another problem.

There is nothing indicative of a problem in the Event Log, nor in the HTTP error logs.  In fact, nothing shows up in the error or access logs at all for the failed requests.

I'll test on another machine and see what happens.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20416314
A broken SSL certificate will not log anything because the secure channel isn't created. Therefore I am not surprised that you are not seeing anything in the logs.

Simon.
0
 
LVL 2

Author Comment

by:jaredcall
ID: 20425539
re-keyed the cert and all is well.  Never did figure out what was wrong with the originally issued one.

Thanks.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question