?
Solved

SSL works with self-signed cert, fails with GoDaddy cert

Posted on 2007-12-05
4
Medium Priority
?
929 Views
Last Modified: 2009-07-29
2003 R2 server running Exchange 2007
OWA is running successfully with self-signed cert.
When I tried to switch to the GoDaddy SAN cert I'd imported using the Exchange  Management Shell, OWA stopped working.  It was ok as soon as I switched back to the self-signed cert.  

So, I created a 2nd website, just to test, on the same server running as follows:
 HTTP:  port  99
 HTTPS:  port 999

Both sites are running on all available IP addresses with no host restrictions.

HTTP works fine on port 99.  HTTPS works fine on port 999, so long as I use the self-signed cert.

As soon as I switch to the GoDaddy cert HTTPS stops working for that website.  I get the following error in IE:

"Internet Explorer cannot display the webpage
   
   Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address. "

The self-signed cert and the GoDaddy cert both serve the same DNS name.  In other words, it's not a host name mismatch.  Even if it were, I'd expect the cert to be presented with a warning rather than not be presented to the browser at all.

A packet trace shows a successful 3-way handshake to set up a TCP connection on port 999, which is subsequently shut down gracefully (from a TCP perspective) with a FIN, FIN-ACK sequence.  Something is going on at the application level.

As soon as I switch back to the self-signed cert, it starts working again.

I have successfully imported the GoDaddy intermediate cert using MMC, and it shows up in the Intermediate Certification Authorities certificate list.

I did create the CSR for this cert on one machine (which now has apparently unrelated IIS issues) with the Exchange  Management Shell and originally imported it on that box.  I exported it from there as a PFX, including the private key, and successfully imported it to the new server (where I'm currently having problems) with the Exchange Management Shell.  There were no errors on the certificate import in the shell.

Any ideas why IIS doesn't like this cert?
0
Comment
Question by:jaredcall
  • 2
  • 2
4 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 1500 total points
ID: 20415698
Why are you trying to use non-standard ports?
Exchange is pretty hard coded to use port 80 and 443, trying to use non standard ports will usually fail.

Have you tested the certificate on another machine? It is not unusual to get suspect certificates form suppliers which means they have to be reissued.

Simon.
0
 
LVL 2

Author Comment

by:jaredcall
ID: 20415871
I'm using non-standard ports because the standard ports are in use by OWA, which exhibits the same symptoms if I tell it to use this cert.

 I did test it on another machine, and happened to choose a machine with other IIS issues causing it not to work even over HTTP, but that's another problem.

There is nothing indicative of a problem in the Event Log, nor in the HTTP error logs.  In fact, nothing shows up in the error or access logs at all for the failed requests.

I'll test on another machine and see what happens.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20416314
A broken SSL certificate will not log anything because the secure channel isn't created. Therefore I am not surprised that you are not seeing anything in the logs.

Simon.
0
 
LVL 2

Author Comment

by:jaredcall
ID: 20425539
re-keyed the cert and all is well.  Never did figure out what was wrong with the originally issued one.

Thanks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Suggested Courses
Course of the Month17 days, 12 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question