Link to home
Create AccountLog in
Avatar of if5sam
if5sam

asked on

IIS 7 SSL Bindings Stop Working on Server Restart

We have a number of websites running on IIS 7.0 on a Windows Server 2008 Web edition.

We have purchased a wildcard SSL certificate (*.ourdomain.com) and used this for a number of sites. E.g. site1.ourdomain.com, site2.ourdomain.com and so on. We are using hostheader bindings.

This works fine. However, when we re-start the server all these sites stop working, and do not start working again until we edit the bindings for one of the ssl sites. This causes them all to start working again.

The only SSL sites on that server are all in the same *.ourdomain.com. There are also some non-SSL sites on the same server and IP. One has a different domain name. However, removing this binding does not solve the problem.
Avatar of meverest
meverest
Flag of Australia image

sounds like maybe one of the sites has a rule that is too general and preventing the others from starting.

if there are not too many sites, go through each of them in detail and check the serverbindings properties.

also, look in the event viewer application log for clues.

Cheers.
Avatar of if5sam
if5sam

ASKER

Found two errors in the System Event log, which occur upon reboot.

Event 15021, 'An error occured while using SSL configuration for socket address 192.168.100.104:443.  The error status code is contained within the returned data.'

Event 15016, 'Unable to initialize the security package Kerberos for server side authentication.  The data field contains the error number.'
Avatar of if5sam

ASKER

All the bindings for SSL are for *.ourdomain.com and for the same IP address.

There are some other bindings for HTTP, but this should not cause a problem?
>> Event 15021, 'An error occured while using SSL configuration for socket address 192.168.100.104:443.  The error
>> status code is contained within the returned data.'

That one looks related.  This is a good place to start.  Any other data that goes with this error?  (is that IP address the web server host?)

>> All the bindings for SSL are for *.ourdomain.com and for the same IP address.

Yes, this is probably the issue.  You see, every web site must be uniquely identifiable for that to work.  When all sites have the same IP address and the same port, then you only have the hostname to distinguish between them.  If two or more web sites have the same hostname set in securebindings, or no hostname defined at all, then you will run into trouble.

At this stage, until you explicitly rule it out, then that is the most likely cause of your problem.

>> There are some other bindings for HTTP, but this should not cause a problem?

I would not expect so.  Does http work ok even when https fails?

Cheers.
Avatar of if5sam

ASKER

>>  (is that IP address the web server host?)
Yes. That is its internal address.

>> Yes, this is probably the issue.  You see, every web site must be uniquely
>> identifiable for that to work.
This is where I run into trouble. Each SSL certificate should be associated with a single endpoing (IP - Port combination). The SSL certificate is a wildcard, *.ourdomain.com, and all the SSL sites are subdomains - e.g. domain1.ourdomain.com.

This should work. In fact, it does work! But it stops working on reboot, until you edit a binding (any of the SSL bindings) and then edit them back.

In terms of the errors, this is the attached data

+ System

  - Provider

   [ Name]  Microsoft-Windows-HttpEvent
   [ Guid]  {7b6bc78c-898b-4170-bbf8-1a469ea43fc5}
   [ EventSourceName]  HTTP
 
  - EventID 15021

   [ Qualifiers]  49152
 
   Version 0
 
   Level 2
 
   Task 0
 
   Opcode 0
 
   Keywords 0x80000000000000
 
  - TimeCreated

   [ SystemTime]  2008-08-09T13:01:19.709Z
 
   EventRecordID 13033
 
   Correlation
 
  - Execution

   [ ProcessID]  4
   [ ThreadID]  88
 
   Channel System
 
   Computer [SNIP]
 
   Security
 

- EventData

  DeviceObject \Device\Http\ReqQueue
  SocketAddress 192.168.100.104:443
   000004000200300000000000AD3A00C00000000000000000000000000000000000000000000000005F0000C0


--------------------------------------------------------------------------------

Binary data:


In Words

0000: 00040000 00300002 00000000 C0003AAD
0008: 00000000 00000000 00000000 00000000
0010: 00000000 00000000 C000005F  


In Bytes

0000: 00 00 04 00 02 00 30 00   ......0.
0008: 00 00 00 00 AD 3A 00 C0   ....­:.À
0010: 00 00 00 00 00 00 00 00   ........
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........
0028: 5F 00 00 C0               _..À

>> This is where I run into trouble. Each SSL certificate should be associated with a single endpoing (IP - Port
>> combination). The SSL certificate is a wildcard, *.ourdomain.com, and all the SSL sites are subdomains - e.g.
>> domain1.ourdomain.com.

yes, every IP:Port combination must match a single cert, BUT IIS still needs to determine which web site to find the content.  It does this by matching the hostname included in the http/1.1 header against the hostnames defined in IIS serverbindings.  Once the request data has been decrypted, it is essentially exactly the same as normal http host headers.

Since you have multiple web sites configured to use the same IP:Port/cert, then you MUST define a UNIQUE host header for EVERY site.  If you have any of them that have host headers undefined, or if you have accidentally made two of them the same, then this behaviour will result.

When IIS starts up after a reboot, then it will naturally attempt to load up all web sites at the same time.  If there is some conflict, then it will fail the lot of them.  When you start them one at a time, they will all load up until it finds one with a conflict - in which case it will probably just fail to start the https socket on that site, which may be why you do not see any error.

That is my suspicion, anyway.  If I had this sort of behaviour, I would be going through the configs with that in mind to see if anything stands out.

good luck! ;-)

Cheers!
Avatar of if5sam

ASKER

I went through the config, both in the MMC and in the actual XML file. There are no generic bindings on port 443.

In fact there is a unique host header for every site, including the sites bound to port 443. Thanks for the suggestion though.
ASKER CERTIFIED SOLUTION
Avatar of if5sam
if5sam

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of if5sam

ASKER

Sorry, that last post should have said 'suggested causes above' not 'problems above'.
We ran into a simular issue and it turns out the issue was the Networks Solution certificate not the wildcard. Because Microsoft does not have the intermediates Certs from Networksolutions on the server you need to install them UTNAddTrustServer_CA.crt, NetworkSolutions_CA.crt The root certificate AddTrustExternalCARoot.crt.

Start -> mmc -> File -> add/remove snapin -> Certificates then select Computer Account, local computer.

Right click on Trusted Root Certificates and Import the other certs. Allow the Wizard to choose the location.