Avatar of Imran Samuel
Imran Samuel
Flag for Bonaire, Sint Eustatius and Saba asked on

IIS (Server 2012) When binding fails when binding a renewed certificate

A specified logon session does not exist. it may already have been terminated. (exception from HRESULT:0x80070520)
I have searched extensively on the internet but so far have not found something the works.
iiserror.PNG
Microsoft IIS Web Server

Avatar of undefined
Last Comment
Dan McFadden

8/22/2022 - Mon
Dan McFadden

1. What CA is the certificate from?
2. Do you have the password for the certificate?
3. Do you have the certificate in .PFX file format?

Dan
Imran Samuel

ASKER
CA is godaddy
As far as I know there is no password associated with the certificate.
there is an intermediate and the actual cert. (two files)
-e8b120bc990XX6.crt
-gd-XXXX_iis_intermediates.p7b (PKCS)
I have followed these instructions.
https://nl.godaddy.com/help/iis-8-install-a-certificate-4951

I have done this twice in the pass with the original cert. However, after renewing the cert this time around, the process yields this error.
Dan McFadden

- Is the old certificate still on the server?
- Can you export the certificate from the server?

Dan
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Imran Samuel

ASKER
Is the old certificate still on the server? --I deleted it using the MMC
- Can you export the certificate from the server? I've deleted it already, one of the many things that I have tried to get this to work
Dan McFadden

OK, can you export the new certificate from the server?

Dan
Imran Samuel

ASKER
I believe I can, though I have never done this before,
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Dan McFadden

I would try the following.

1. export the new certificate (follow the process, its wizard driven)
2. delete the new certificate from the server
3. do an IISRESET from a Admin Console
4. verify that the site is working without the SSL Cert
5. import the SSL Cert
6. add the https binding to the site
7. verify the site is working with SSL

Dan
Imran Samuel

ASKER
The export worked ok,
When I try to import the cert
I get an error, "Certificate does not contain a private key"
ASKER CERTIFIED SOLUTION
Dan McFadden

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Imran Samuel

ASKER
I attempted these steps but no success. Only resulted in more errors,
Godaddy has an intermediate cert and also the actual cert so the steps are not exactly the same.
https://www.godaddy.com/help/install-ssl-certificates-16623

however, I tried both,
neither worked, I'm not sure if I am not doing something right
Your help has saved me hundreds of hours of internet surfing.
fblack61
Dan McFadden

What files did you receive from GoDaddy after you renewed the certificate?

Also, how exactly (what procedure did you follow) did you "renew" this SSL Cert?

Dan
Imran Samuel

ASKER
see attached for file names.
.crt file and .p7b file
website was working well before the cert was renewed with godaddy.
After renewing the cert with godaddy (the current cert was three years old and was going to expire, site stopped working, That is because the renewed cert, had to be installed.
cert-files.jpg
Dan McFadden

I would read thru this article and verify the permissions on the path mentioned.

Link:  https://blogs.msdn.microsoft.com/asiatech/2010/08/12/got-error-0x80070520-when-binding-certificate-to-web-site-on-iis-7/

Dan
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Imran Samuel

ASKER
I've followed this doc, I've double checked the permissions, and given full rights, but problem persists.
Dan McFadden

Have you attempted to recreate the cert private key as mentioned in the links posted above?

Dan
Imran Samuel

ASKER
yea, that resulted in the access denied error. for which you pointed me to ms kb article referring me to security on the microsoft\RAS\Machinekeys folder
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Imran Samuel

ASKER
Also of the two files I received from godaddy which file should I import,
According to your guidelines that would be the p7b file, however, this according to godaddy's instructions should go into the intermediate certifications authorities container/store) and not in the "personal" container/(store)
Dan McFadden

You should import both files into their respective stores.  If the Intermediate certificate installed is still valid, then you could skip the cert.

Its import to note, that you need to connect to the computer store, not the user store.  Each store has the same structure, though the computer store has 1 or 2 additional objects where certs can be installed.

I defer to GoDaddy's instructions, especially since this is not one of the servers that I administer.

Dan
Imran Samuel

ASKER
Dear Dan,

Thanks for your assistance.  The problem was resolved,

1. Delete the certs from both intermediate and personal store.
2. Create a new CSR (IIS--server certificates), along with a private key
I used the instructions at this url

https://docs.druva.com/Knowledge_Base/inSync/How_To/Using_Microsoft_IIS_to_generate_CSR_and_Private_Key

3. From Go daddy "manage" SSL console, rekey the cert, wait until the certs are re-issued.

4. Import the certs as per instructions at go daddy into both intermediate and personal store.
5. Complete the request in ISS.

You help solve this problem by indicating clearly that the private key was missing, what I did not know was how to create the private key.

Thanks again
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Dan McFadden

Glad it was resolved!

Dan
Dan McFadden

Imran Samuel indicated the source of the issue was identified.