Link to home
Create AccountLog in
Avatar of Imran Samuel
Imran SamuelFlag for Bonaire, Sint Eustatius and Saba

asked on

IIS (Server 2012) When binding fails when binding a renewed certificate

A specified logon session does not exist. it may already have been terminated. (exception from HRESULT:0x80070520)
I have searched extensively on the internet but so far have not found something the works.
iiserror.PNG
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

1. What CA is the certificate from?
2. Do you have the password for the certificate?
3. Do you have the certificate in .PFX file format?

Dan
Avatar of Imran Samuel

ASKER

CA is godaddy
As far as I know there is no password associated with the certificate.
there is an intermediate and the actual cert. (two files)
-e8b120bc990XX6.crt
-gd-XXXX_iis_intermediates.p7b (PKCS)
I have followed these instructions.
https://nl.godaddy.com/help/iis-8-install-a-certificate-4951

I have done this twice in the pass with the original cert. However, after renewing the cert this time around, the process yields this error.
- Is the old certificate still on the server?
- Can you export the certificate from the server?

Dan
Is the old certificate still on the server? --I deleted it using the MMC
- Can you export the certificate from the server? I've deleted it already, one of the many things that I have tried to get this to work
OK, can you export the new certificate from the server?

Dan
I believe I can, though I have never done this before,
I would try the following.

1. export the new certificate (follow the process, its wizard driven)
2. delete the new certificate from the server
3. do an IISRESET from a Admin Console
4. verify that the site is working without the SSL Cert
5. import the SSL Cert
6. add the https binding to the site
7. verify the site is working with SSL

Dan
The export worked ok,
When I try to import the cert
I get an error, "Certificate does not contain a private key"
ASKER CERTIFIED SOLUTION
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I attempted these steps but no success. Only resulted in more errors,
Godaddy has an intermediate cert and also the actual cert so the steps are not exactly the same.
https://www.godaddy.com/help/install-ssl-certificates-16623

however, I tried both,
neither worked, I'm not sure if I am not doing something right
What files did you receive from GoDaddy after you renewed the certificate?

Also, how exactly (what procedure did you follow) did you "renew" this SSL Cert?

Dan
see attached for file names.
.crt file and .p7b file
website was working well before the cert was renewed with godaddy.
After renewing the cert with godaddy (the current cert was three years old and was going to expire, site stopped working, That is because the renewed cert, had to be installed.
cert-files.jpg
I would read thru this article and verify the permissions on the path mentioned.

Link:  https://blogs.msdn.microsoft.com/asiatech/2010/08/12/got-error-0x80070520-when-binding-certificate-to-web-site-on-iis-7/

Dan
I've followed this doc, I've double checked the permissions, and given full rights, but problem persists.
Have you attempted to recreate the cert private key as mentioned in the links posted above?

Dan
yea, that resulted in the access denied error. for which you pointed me to ms kb article referring me to security on the microsoft\RAS\Machinekeys folder
Also of the two files I received from godaddy which file should I import,
According to your guidelines that would be the p7b file, however, this according to godaddy's instructions should go into the intermediate certifications authorities container/store) and not in the "personal" container/(store)
You should import both files into their respective stores.  If the Intermediate certificate installed is still valid, then you could skip the cert.

Its import to note, that you need to connect to the computer store, not the user store.  Each store has the same structure, though the computer store has 1 or 2 additional objects where certs can be installed.

I defer to GoDaddy's instructions, especially since this is not one of the servers that I administer.

Dan
Dear Dan,

Thanks for your assistance.  The problem was resolved,

1. Delete the certs from both intermediate and personal store.
2. Create a new CSR (IIS--server certificates), along with a private key
I used the instructions at this url

https://docs.druva.com/Knowledge_Base/inSync/How_To/Using_Microsoft_IIS_to_generate_CSR_and_Private_Key

3. From Go daddy "manage" SSL console, rekey the cert, wait until the certs are re-issued.

4. Import the certs as per instructions at go daddy into both intermediate and personal store.
5. Complete the request in ISS.

You help solve this problem by indicating clearly that the private key was missing, what I did not know was how to create the private key.

Thanks again
Glad it was resolved!

Dan
Imran Samuel indicated the source of the issue was identified.