We help IT Professionals succeed at work.

IIS (Server 2012) When binding fails when binding a renewed certificate

514 Views
Last Modified: 2017-05-30
A specified logon session does not exist. it may already have been terminated. (exception from HRESULT:0x80070520)
I have searched extensively on the internet but so far have not found something the works.
iiserror.PNG
Comment
Watch Question

Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
1. What CA is the certificate from?
2. Do you have the password for the certificate?
3. Do you have the certificate in .PFX file format?

Dan
Imran SamuelIT Technician

Author

Commented:
CA is godaddy
As far as I know there is no password associated with the certificate.
there is an intermediate and the actual cert. (two files)
-e8b120bc990XX6.crt
-gd-XXXX_iis_intermediates.p7b (PKCS)
I have followed these instructions.
https://nl.godaddy.com/help/iis-8-install-a-certificate-4951

I have done this twice in the pass with the original cert. However, after renewing the cert this time around, the process yields this error.
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
- Is the old certificate still on the server?
- Can you export the certificate from the server?

Dan
Imran SamuelIT Technician

Author

Commented:
Is the old certificate still on the server? --I deleted it using the MMC
- Can you export the certificate from the server? I've deleted it already, one of the many things that I have tried to get this to work
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
OK, can you export the new certificate from the server?

Dan
Imran SamuelIT Technician

Author

Commented:
I believe I can, though I have never done this before,
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
I would try the following.

1. export the new certificate (follow the process, its wizard driven)
2. delete the new certificate from the server
3. do an IISRESET from a Admin Console
4. verify that the site is working without the SSL Cert
5. import the SSL Cert
6. add the https binding to the site
7. verify the site is working with SSL

Dan
Imran SamuelIT Technician

Author

Commented:
The export worked ok,
When I try to import the cert
I get an error, "Certificate does not contain a private key"
Technical Lead - Active Directory
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Imran SamuelIT Technician

Author

Commented:
I attempted these steps but no success. Only resulted in more errors,
Godaddy has an intermediate cert and also the actual cert so the steps are not exactly the same.
https://www.godaddy.com/help/install-ssl-certificates-16623

however, I tried both,
neither worked, I'm not sure if I am not doing something right
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
What files did you receive from GoDaddy after you renewed the certificate?

Also, how exactly (what procedure did you follow) did you "renew" this SSL Cert?

Dan
Imran SamuelIT Technician

Author

Commented:
see attached for file names.
.crt file and .p7b file
website was working well before the cert was renewed with godaddy.
After renewing the cert with godaddy (the current cert was three years old and was going to expire, site stopped working, That is because the renewed cert, had to be installed.
cert-files.jpg
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
I would read thru this article and verify the permissions on the path mentioned.

Link:  https://blogs.msdn.microsoft.com/asiatech/2010/08/12/got-error-0x80070520-when-binding-certificate-to-web-site-on-iis-7/

Dan
Imran SamuelIT Technician

Author

Commented:
I've followed this doc, I've double checked the permissions, and given full rights, but problem persists.
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
Have you attempted to recreate the cert private key as mentioned in the links posted above?

Dan
Imran SamuelIT Technician

Author

Commented:
yea, that resulted in the access denied error. for which you pointed me to ms kb article referring me to security on the microsoft\RAS\Machinekeys folder
Imran SamuelIT Technician

Author

Commented:
Also of the two files I received from godaddy which file should I import,
According to your guidelines that would be the p7b file, however, this according to godaddy's instructions should go into the intermediate certifications authorities container/store) and not in the "personal" container/(store)
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
You should import both files into their respective stores.  If the Intermediate certificate installed is still valid, then you could skip the cert.

Its import to note, that you need to connect to the computer store, not the user store.  Each store has the same structure, though the computer store has 1 or 2 additional objects where certs can be installed.

I defer to GoDaddy's instructions, especially since this is not one of the servers that I administer.

Dan
Imran SamuelIT Technician

Author

Commented:
Dear Dan,

Thanks for your assistance.  The problem was resolved,

1. Delete the certs from both intermediate and personal store.
2. Create a new CSR (IIS--server certificates), along with a private key
I used the instructions at this url

https://docs.druva.com/Knowledge_Base/inSync/How_To/Using_Microsoft_IIS_to_generate_CSR_and_Private_Key

3. From Go daddy "manage" SSL console, rekey the cert, wait until the certs are re-issued.

4. Import the certs as per instructions at go daddy into both intermediate and personal store.
5. Complete the request in ISS.

You help solve this problem by indicating clearly that the private key was missing, what I did not know was how to create the private key.

Thanks again
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
Glad it was resolved!

Dan
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
Imran Samuel indicated the source of the issue was identified.