if5sam
asked on
IIS 7 SSL Bindings Stop Working on Server Restart
We have a number of websites running on IIS 7.0 on a Windows Server 2008 Web edition.
We have purchased a wildcard SSL certificate (*.ourdomain.com) and used this for a number of sites. E.g. site1.ourdomain.com, site2.ourdomain.com and so on. We are using hostheader bindings.
This works fine. However, when we re-start the server all these sites stop working, and do not start working again until we edit the bindings for one of the ssl sites. This causes them all to start working again.
The only SSL sites on that server are all in the same *.ourdomain.com. There are also some non-SSL sites on the same server and IP. One has a different domain name. However, removing this binding does not solve the problem.
We have purchased a wildcard SSL certificate (*.ourdomain.com) and used this for a number of sites. E.g. site1.ourdomain.com, site2.ourdomain.com and so on. We are using hostheader bindings.
This works fine. However, when we re-start the server all these sites stop working, and do not start working again until we edit the bindings for one of the ssl sites. This causes them all to start working again.
The only SSL sites on that server are all in the same *.ourdomain.com. There are also some non-SSL sites on the same server and IP. One has a different domain name. However, removing this binding does not solve the problem.
ASKER
Found two errors in the System Event log, which occur upon reboot.
Event 15021, 'An error occured while using SSL configuration for socket address 192.168.100.104:443. The error status code is contained within the returned data.'
Event 15016, 'Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.'
Event 15021, 'An error occured while using SSL configuration for socket address 192.168.100.104:443. The error status code is contained within the returned data.'
Event 15016, 'Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.'
ASKER
All the bindings for SSL are for *.ourdomain.com and for the same IP address.
There are some other bindings for HTTP, but this should not cause a problem?
There are some other bindings for HTTP, but this should not cause a problem?
>> Event 15021, 'An error occured while using SSL configuration for socket address 192.168.100.104:443. The error
>> status code is contained within the returned data.'
That one looks related. This is a good place to start. Any other data that goes with this error? (is that IP address the web server host?)
>> All the bindings for SSL are for *.ourdomain.com and for the same IP address.
Yes, this is probably the issue. You see, every web site must be uniquely identifiable for that to work. When all sites have the same IP address and the same port, then you only have the hostname to distinguish between them. If two or more web sites have the same hostname set in securebindings, or no hostname defined at all, then you will run into trouble.
At this stage, until you explicitly rule it out, then that is the most likely cause of your problem.
>> There are some other bindings for HTTP, but this should not cause a problem?
I would not expect so. Does http work ok even when https fails?
Cheers.
>> status code is contained within the returned data.'
That one looks related. This is a good place to start. Any other data that goes with this error? (is that IP address the web server host?)
>> All the bindings for SSL are for *.ourdomain.com and for the same IP address.
Yes, this is probably the issue. You see, every web site must be uniquely identifiable for that to work. When all sites have the same IP address and the same port, then you only have the hostname to distinguish between them. If two or more web sites have the same hostname set in securebindings, or no hostname defined at all, then you will run into trouble.
At this stage, until you explicitly rule it out, then that is the most likely cause of your problem.
>> There are some other bindings for HTTP, but this should not cause a problem?
I would not expect so. Does http work ok even when https fails?
Cheers.
ASKER
>> (is that IP address the web server host?)
Yes. That is its internal address.
>> Yes, this is probably the issue. You see, every web site must be uniquely
>> identifiable for that to work.
This is where I run into trouble. Each SSL certificate should be associated with a single endpoing (IP - Port combination). The SSL certificate is a wildcard, *.ourdomain.com, and all the SSL sites are subdomains - e.g. domain1.ourdomain.com.
This should work. In fact, it does work! But it stops working on reboot, until you edit a binding (any of the SSL bindings) and then edit them back.
In terms of the errors, this is the attached data
+ System
- Provider
[ Name] Microsoft-Windows-HttpEven t
[ Guid] {7b6bc78c-898b-4170-bbf8-1 a469ea43fc 5}
[ EventSourceName] HTTP
- EventID 15021
[ Qualifiers] 49152
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2008-08-09T13:01:19.709Z
EventRecordID 13033
Correlation
- Execution
[ ProcessID] 4
[ ThreadID] 88
Channel System
Computer [SNIP]
Security
- EventData
DeviceObject \Device\Http\ReqQueue
SocketAddress 192.168.100.104:443
000004000200300000000000AD 3A00C00000 0000000000 0000000000 0000000000 0000000000 00005F0000 C0
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
Binary data:
In Words
0000: 00040000 00300002 00000000 C0003AAD
0008: 00000000 00000000 00000000 00000000
0010: 00000000 00000000 C000005F
In Bytes
0000: 00 00 04 00 02 00 30 00 ......0.
0008: 00 00 00 00 AD 3A 00 C0 ....:.À
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 5F 00 00 C0 _..À
Yes. That is its internal address.
>> Yes, this is probably the issue. You see, every web site must be uniquely
>> identifiable for that to work.
This is where I run into trouble. Each SSL certificate should be associated with a single endpoing (IP - Port combination). The SSL certificate is a wildcard, *.ourdomain.com, and all the SSL sites are subdomains - e.g. domain1.ourdomain.com.
This should work. In fact, it does work! But it stops working on reboot, until you edit a binding (any of the SSL bindings) and then edit them back.
In terms of the errors, this is the attached data
+ System
- Provider
[ Name] Microsoft-Windows-HttpEven
[ Guid] {7b6bc78c-898b-4170-bbf8-1
[ EventSourceName] HTTP
- EventID 15021
[ Qualifiers] 49152
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2008-08-09T13:01:19.709Z
EventRecordID 13033
Correlation
- Execution
[ ProcessID] 4
[ ThreadID] 88
Channel System
Computer [SNIP]
Security
- EventData
DeviceObject \Device\Http\ReqQueue
SocketAddress 192.168.100.104:443
000004000200300000000000AD
--------------------------
Binary data:
In Words
0000: 00040000 00300002 00000000 C0003AAD
0008: 00000000 00000000 00000000 00000000
0010: 00000000 00000000 C000005F
In Bytes
0000: 00 00 04 00 02 00 30 00 ......0.
0008: 00 00 00 00 AD 3A 00 C0 ....:.À
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 5F 00 00 C0 _..À
>> This is where I run into trouble. Each SSL certificate should be associated with a single endpoing (IP - Port
>> combination). The SSL certificate is a wildcard, *.ourdomain.com, and all the SSL sites are subdomains - e.g.
>> domain1.ourdomain.com.
yes, every IP:Port combination must match a single cert, BUT IIS still needs to determine which web site to find the content. It does this by matching the hostname included in the http/1.1 header against the hostnames defined in IIS serverbindings. Once the request data has been decrypted, it is essentially exactly the same as normal http host headers.
Since you have multiple web sites configured to use the same IP:Port/cert, then you MUST define a UNIQUE host header for EVERY site. If you have any of them that have host headers undefined, or if you have accidentally made two of them the same, then this behaviour will result.
When IIS starts up after a reboot, then it will naturally attempt to load up all web sites at the same time. If there is some conflict, then it will fail the lot of them. When you start them one at a time, they will all load up until it finds one with a conflict - in which case it will probably just fail to start the https socket on that site, which may be why you do not see any error.
That is my suspicion, anyway. If I had this sort of behaviour, I would be going through the configs with that in mind to see if anything stands out.
good luck! ;-)
Cheers!
>> combination). The SSL certificate is a wildcard, *.ourdomain.com, and all the SSL sites are subdomains - e.g.
>> domain1.ourdomain.com.
yes, every IP:Port combination must match a single cert, BUT IIS still needs to determine which web site to find the content. It does this by matching the hostname included in the http/1.1 header against the hostnames defined in IIS serverbindings. Once the request data has been decrypted, it is essentially exactly the same as normal http host headers.
Since you have multiple web sites configured to use the same IP:Port/cert, then you MUST define a UNIQUE host header for EVERY site. If you have any of them that have host headers undefined, or if you have accidentally made two of them the same, then this behaviour will result.
When IIS starts up after a reboot, then it will naturally attempt to load up all web sites at the same time. If there is some conflict, then it will fail the lot of them. When you start them one at a time, they will all load up until it finds one with a conflict - in which case it will probably just fail to start the https socket on that site, which may be why you do not see any error.
That is my suspicion, anyway. If I had this sort of behaviour, I would be going through the configs with that in mind to see if anything stands out.
good luck! ;-)
Cheers!
ASKER
I went through the config, both in the MMC and in the actual XML file. There are no generic bindings on port 443.
In fact there is a unique host header for every site, including the sites bound to port 443. Thanks for the suggestion though.
In fact there is a unique host header for every site, including the sites bound to port 443. Thanks for the suggestion though.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Sorry, that last post should have said 'suggested causes above' not 'problems above'.
We ran into a simular issue and it turns out the issue was the Networks Solution certificate not the wildcard. Because Microsoft does not have the intermediates Certs from Networksolutions on the server you need to install them UTNAddTrustServer_CA.crt, NetworkSolutions_CA.crt The root certificate AddTrustExternalCARoot.crt .
Start -> mmc -> File -> add/remove snapin -> Certificates then select Computer Account, local computer.
Right click on Trusted Root Certificates and Import the other certs. Allow the Wizard to choose the location.
Start -> mmc -> File -> add/remove snapin -> Certificates then select Computer Account, local computer.
Right click on Trusted Root Certificates and Import the other certs. Allow the Wizard to choose the location.
if there are not too many sites, go through each of them in detail and check the serverbindings properties.
also, look in the event viewer application log for clues.
Cheers.