IIS (Server 2012) When binding fails when binding a renewed certificate

Imran Samuel
Imran Samuel used Ask the Experts™
on
A specified logon session does not exist. it may already have been terminated. (exception from HRESULT:0x80070520)
I have searched extensively on the internet but so far have not found something the works.
iiserror.PNG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dan McFaddenSystems Engineer

Commented:
1. What CA is the certificate from?
2. Do you have the password for the certificate?
3. Do you have the certificate in .PFX file format?

Dan
Imran SamuelIT Technician

Author

Commented:
CA is godaddy
As far as I know there is no password associated with the certificate.
there is an intermediate and the actual cert. (two files)
-e8b120bc990XX6.crt
-gd-XXXX_iis_intermediates.p7b (PKCS)
I have followed these instructions.
https://nl.godaddy.com/help/iis-8-install-a-certificate-4951

I have done this twice in the pass with the original cert. However, after renewing the cert this time around, the process yields this error.
Dan McFaddenSystems Engineer

Commented:
- Is the old certificate still on the server?
- Can you export the certificate from the server?

Dan
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Imran SamuelIT Technician

Author

Commented:
Is the old certificate still on the server? --I deleted it using the MMC
- Can you export the certificate from the server? I've deleted it already, one of the many things that I have tried to get this to work
Dan McFaddenSystems Engineer

Commented:
OK, can you export the new certificate from the server?

Dan
Imran SamuelIT Technician

Author

Commented:
I believe I can, though I have never done this before,
Dan McFaddenSystems Engineer

Commented:
I would try the following.

1. export the new certificate (follow the process, its wizard driven)
2. delete the new certificate from the server
3. do an IISRESET from a Admin Console
4. verify that the site is working without the SSL Cert
5. import the SSL Cert
6. add the https binding to the site
7. verify the site is working with SSL

Dan
Imran SamuelIT Technician

Author

Commented:
The export worked ok,
When I try to import the cert
I get an error, "Certificate does not contain a private key"
Systems Engineer
Commented:
This is the source of the issue.

Its been discussed on EE before:  https://www.experts-exchange.com/questions/28393390/SSL-Certificate-Missing-Private-Key.html

Here is a procedure to recover the private key:  https://www.ssl.com/how-to/fix-the-iis-7-no-private-key-error-message/

And just in case, the procedure to export a cert: https://technet.microsoft.com/en-us/library/cc731386(v=ws.10).aspx

Dan
Imran SamuelIT Technician

Author

Commented:
I attempted these steps but no success. Only resulted in more errors,
Godaddy has an intermediate cert and also the actual cert so the steps are not exactly the same.
https://www.godaddy.com/help/install-ssl-certificates-16623

however, I tried both,
neither worked, I'm not sure if I am not doing something right
Dan McFaddenSystems Engineer

Commented:
What files did you receive from GoDaddy after you renewed the certificate?

Also, how exactly (what procedure did you follow) did you "renew" this SSL Cert?

Dan
Imran SamuelIT Technician

Author

Commented:
see attached for file names.
.crt file and .p7b file
website was working well before the cert was renewed with godaddy.
After renewing the cert with godaddy (the current cert was three years old and was going to expire, site stopped working, That is because the renewed cert, had to be installed.
cert-files.jpg
Dan McFaddenSystems Engineer

Commented:
I would read thru this article and verify the permissions on the path mentioned.

Link:  https://blogs.msdn.microsoft.com/asiatech/2010/08/12/got-error-0x80070520-when-binding-certificate-to-web-site-on-iis-7/

Dan
Imran SamuelIT Technician

Author

Commented:
I've followed this doc, I've double checked the permissions, and given full rights, but problem persists.
Dan McFaddenSystems Engineer

Commented:
Have you attempted to recreate the cert private key as mentioned in the links posted above?

Dan
Imran SamuelIT Technician

Author

Commented:
yea, that resulted in the access denied error. for which you pointed me to ms kb article referring me to security on the microsoft\RAS\Machinekeys folder
Imran SamuelIT Technician

Author

Commented:
Also of the two files I received from godaddy which file should I import,
According to your guidelines that would be the p7b file, however, this according to godaddy's instructions should go into the intermediate certifications authorities container/store) and not in the "personal" container/(store)
Dan McFaddenSystems Engineer

Commented:
You should import both files into their respective stores.  If the Intermediate certificate installed is still valid, then you could skip the cert.

Its import to note, that you need to connect to the computer store, not the user store.  Each store has the same structure, though the computer store has 1 or 2 additional objects where certs can be installed.

I defer to GoDaddy's instructions, especially since this is not one of the servers that I administer.

Dan
Imran SamuelIT Technician

Author

Commented:
Dear Dan,

Thanks for your assistance.  The problem was resolved,

1. Delete the certs from both intermediate and personal store.
2. Create a new CSR (IIS--server certificates), along with a private key
I used the instructions at this url

https://docs.druva.com/Knowledge_Base/inSync/How_To/Using_Microsoft_IIS_to_generate_CSR_and_Private_Key

3. From Go daddy "manage" SSL console, rekey the cert, wait until the certs are re-issued.

4. Import the certs as per instructions at go daddy into both intermediate and personal store.
5. Complete the request in ISS.

You help solve this problem by indicating clearly that the private key was missing, what I did not know was how to create the private key.

Thanks again
Dan McFaddenSystems Engineer

Commented:
Glad it was resolved!

Dan
Dan McFaddenSystems Engineer

Commented:
Imran Samuel indicated the source of the issue was identified.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial