IIS (Server 2012) When binding fails when binding a renewed certificate

A specified logon session does not exist. it may already have been terminated. (exception from HRESULT:0x80070520)
I have searched extensively on the internet but so far have not found something the works.
iiserror.PNG
Imran SamuelIT TechnicianAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
1. What CA is the certificate from?
2. Do you have the password for the certificate?
3. Do you have the certificate in .PFX file format?

Dan
0
Imran SamuelIT TechnicianAuthor Commented:
CA is godaddy
As far as I know there is no password associated with the certificate.
there is an intermediate and the actual cert. (two files)
-e8b120bc990XX6.crt
-gd-XXXX_iis_intermediates.p7b (PKCS)
I have followed these instructions.
https://nl.godaddy.com/help/iis-8-install-a-certificate-4951

I have done this twice in the pass with the original cert. However, after renewing the cert this time around, the process yields this error.
0
Dan McFaddenSystems EngineerCommented:
- Is the old certificate still on the server?
- Can you export the certificate from the server?

Dan
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

Imran SamuelIT TechnicianAuthor Commented:
Is the old certificate still on the server? --I deleted it using the MMC
- Can you export the certificate from the server? I've deleted it already, one of the many things that I have tried to get this to work
0
Dan McFaddenSystems EngineerCommented:
OK, can you export the new certificate from the server?

Dan
0
Imran SamuelIT TechnicianAuthor Commented:
I believe I can, though I have never done this before,
0
Dan McFaddenSystems EngineerCommented:
I would try the following.

1. export the new certificate (follow the process, its wizard driven)
2. delete the new certificate from the server
3. do an IISRESET from a Admin Console
4. verify that the site is working without the SSL Cert
5. import the SSL Cert
6. add the https binding to the site
7. verify the site is working with SSL

Dan
0
Imran SamuelIT TechnicianAuthor Commented:
The export worked ok,
When I try to import the cert
I get an error, "Certificate does not contain a private key"
0
Dan McFaddenSystems EngineerCommented:
This is the source of the issue.

Its been discussed on EE before:  https://www.experts-exchange.com/questions/28393390/SSL-Certificate-Missing-Private-Key.html

Here is a procedure to recover the private key:  https://www.ssl.com/how-to/fix-the-iis-7-no-private-key-error-message/

And just in case, the procedure to export a cert: https://technet.microsoft.com/en-us/library/cc731386(v=ws.10).aspx

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Imran SamuelIT TechnicianAuthor Commented:
I attempted these steps but no success. Only resulted in more errors,
Godaddy has an intermediate cert and also the actual cert so the steps are not exactly the same.
https://www.godaddy.com/help/install-ssl-certificates-16623

however, I tried both,
neither worked, I'm not sure if I am not doing something right
0
Dan McFaddenSystems EngineerCommented:
What files did you receive from GoDaddy after you renewed the certificate?

Also, how exactly (what procedure did you follow) did you "renew" this SSL Cert?

Dan
0
Imran SamuelIT TechnicianAuthor Commented:
see attached for file names.
.crt file and .p7b file
website was working well before the cert was renewed with godaddy.
After renewing the cert with godaddy (the current cert was three years old and was going to expire, site stopped working, That is because the renewed cert, had to be installed.
cert-files.jpg
0
Dan McFaddenSystems EngineerCommented:
I would read thru this article and verify the permissions on the path mentioned.

Link:  https://blogs.msdn.microsoft.com/asiatech/2010/08/12/got-error-0x80070520-when-binding-certificate-to-web-site-on-iis-7/

Dan
0
Imran SamuelIT TechnicianAuthor Commented:
I've followed this doc, I've double checked the permissions, and given full rights, but problem persists.
0
Dan McFaddenSystems EngineerCommented:
Have you attempted to recreate the cert private key as mentioned in the links posted above?

Dan
0
Imran SamuelIT TechnicianAuthor Commented:
yea, that resulted in the access denied error. for which you pointed me to ms kb article referring me to security on the microsoft\RAS\Machinekeys folder
0
Imran SamuelIT TechnicianAuthor Commented:
Also of the two files I received from godaddy which file should I import,
According to your guidelines that would be the p7b file, however, this according to godaddy's instructions should go into the intermediate certifications authorities container/store) and not in the "personal" container/(store)
0
Dan McFaddenSystems EngineerCommented:
You should import both files into their respective stores.  If the Intermediate certificate installed is still valid, then you could skip the cert.

Its import to note, that you need to connect to the computer store, not the user store.  Each store has the same structure, though the computer store has 1 or 2 additional objects where certs can be installed.

I defer to GoDaddy's instructions, especially since this is not one of the servers that I administer.

Dan
0
Imran SamuelIT TechnicianAuthor Commented:
Dear Dan,

Thanks for your assistance.  The problem was resolved,

1. Delete the certs from both intermediate and personal store.
2. Create a new CSR (IIS--server certificates), along with a private key
I used the instructions at this url

https://docs.druva.com/Knowledge_Base/inSync/How_To/Using_Microsoft_IIS_to_generate_CSR_and_Private_Key

3. From Go daddy "manage" SSL console, rekey the cert, wait until the certs are re-issued.

4. Import the certs as per instructions at go daddy into both intermediate and personal store.
5. Complete the request in ISS.

You help solve this problem by indicating clearly that the private key was missing, what I did not know was how to create the private key.

Thanks again
0
Dan McFaddenSystems EngineerCommented:
Glad it was resolved!

Dan
0
Dan McFaddenSystems EngineerCommented:
Imran Samuel indicated the source of the issue was identified.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.