Web Site not serving up new certificate
New certificate not in use in IIS 7.
Windows Server 2012 R2 (HyperV VM in Cluster)
This is an internal site that is still working, but delivering the cert error because it is still using the old cert.
The new cert has been installed and re-installed using the GUI, PS and CMD options, but nothing seems to replace the old one.
I've cleared browser caches and reset IIS and rebooted the server many times. Nothing seems to work. I've read everything online. One blog indicated that I can replace the hash (thumbprint) in the Metabase, but I'm running IIS 7 and can't seem to find the equivalent editor to IIS 6. If I were doing this in Exchange, I would run the PS set-exchangecertificate...
There are no Proxies in use, no other hosts for this site. Internal DNS resolves directly to this machines adapter and its IP as it should. Another site on this server, also using a cert, is working fine.
Any fresh ideas would be welcome.
Thanks
Windows Server 2012 R2 (HyperV VM in Cluster)
This is an internal site that is still working, but delivering the cert error because it is still using the old cert.
The new cert has been installed and re-installed using the GUI, PS and CMD options, but nothing seems to replace the old one.
I've cleared browser caches and reset IIS and rebooted the server many times. Nothing seems to work. I've read everything online. One blog indicated that I can replace the hash (thumbprint) in the Metabase, but I'm running IIS 7 and can't seem to find the equivalent editor to IIS 6. If I were doing this in Exchange, I would run the PS set-exchangecertificate...
There are no Proxies in use, no other hosts for this site. Internal DNS resolves directly to this machines adapter and its IP as it should. Another site on this server, also using a cert, is working fine.
Any fresh ideas would be welcome.
Thanks
Cliff Galiher
At the risk of overlooking the obvious, did you select the new certificate in the binding settings in IIS? IIS never assumes which certificate to use so installing a new cert doesn't automatically change this setting in IIS.
ASKER
I have been working on this for two days. I have tried binding the cert by every method available. none actually replace the one in use.
The old certs were deleted from the server before I started, so I don't see how its serving it up...
The old certs were deleted from the server before I started, so I don't see how its serving it up...
When you are in iis site, bi ding, sevurity,SSL which certificate does it show?
You might be updating the certificate on the wrong end if you gave loadbalancers in use. The certificate/SSL connection might be terminated on the loadbalancers, or reverse proxy servers...
Check the log for the site to see whether it is reflecting external or internal IPs.
When the certificate is changed, the effect is immediate.
You might be updating the certificate on the wrong end if you gave loadbalancers in use. The certificate/SSL connection might be terminated on the loadbalancers, or reverse proxy servers...
Check the log for the site to see whether it is reflecting external or internal IPs.
When the certificate is changed, the effect is immediate.
OK open up a PowerShell window
let see what certs are in there,,,,,
let see what certs are in there,,,,,
Get-ChildItem -path cert:\LocalMachine\Myget-item cert:\LocalMachine\MY\1CBF581E134280162AFFFC81E62011787B3B19BE | new-item 0.0.0.0!443ASKER
Thanks Pete, It is asking for TYPE
from the server/webserver https://LANIP:443 does the correct certificate show up there.
The certificate you added, is it a renewal with the existing KEY or you had to go through generate a new CSR and submit it ...
if you go through the IIS interface to replace the certificate and it has the correct date range, it will be the certificate presented.
The certificate you added, is it a renewal with the existing KEY or you had to go through generate a new CSR and submit it ...
if you go through the IIS interface to replace the certificate and it has the correct date range, it will be the certificate presented.
ASKER
Does anyone know the correct response to the Type prompt after entering new-item cmd?
I think my predecessor tried renewing the old, which never works for me. I since created a new cert with a new csr. The old cert shows when using the IP address too.
I try logging into the site from machines I know have never connected, eliminating the question of cached ceros, but always the old cert. I feel like something is stuck.
We aren’t doing any load balancing. This is just an internal site used by the help desk. No access from the WAN.
The site is configured with an http redirect to https://[site]:8443. The binding to the cert is on 443. Tried to bind to 8443, but then the site is unavailable.
I think my predecessor tried renewing the old, which never works for me. I since created a new cert with a new csr. The old cert shows when using the IP address too.
I try logging into the site from machines I know have never connected, eliminating the question of cached ceros, but always the old cert. I feel like something is stuck.
We aren’t doing any load balancing. This is just an internal site used by the help desk. No access from the WAN.
The site is configured with an http redirect to https://[site]:8443. The binding to the cert is on 443. Tried to bind to 8443, but then the site is unavailable.
If you are going by IP locally on the server and hitting the same old server, means you are not at the right place.
Double check the SSL section of the site in iis and confirm which certificate attached to the site.
Double check the SSL section of the site in iis and confirm which certificate attached to the site.
Iis is clustered?
Certificate loaded on each node?
https://knowledge.digicert.com/solution/SO14335.html
Certificate loaded on each node?
https://knowledge.digicert.com/solution/SO14335.html
ASKER
IIS is on a Windows VM in a clustered environment. There is only one live instance of this server. No load balancing.
Are you accessing the server based on the IP of the application cluster?
So the host is clustered to allow VMs to shift from one host to another?
Please see the digicert's IIS certificate change and see if it works for you.
In that view, are you able to see the certificate and select the new one?
So the host is clustered to allow VMs to shift from one host to another?
Please see the digicert's IIS certificate change and see if it works for you.
In that view, are you able to see the certificate and select the new one?
ASKER
I'm access it by internal URL, but also from the IP both server up the old cert. In IIS Manger, I confirm the binding, but when I click on the Connection links on the right, it opens the browser with the old cert.
Correct
I am able to see the correct certificate in the Digicert tool. I can also see its assigned to site
I am having no trouble with any of the methods of creating, installing and assigning the new certificate.
No one has responded to my original comment, "One blog indicated that I can replace the hash (thumbprint) in the Metabase, but I'm running IIS 7 and can't seem to find the equivalent editor to IIS 6."
Does this ring any bells? I've read that what was achieved with the II6 Metabase editor is now performed by editing .config files, but mine are conspicuously sparse.
Thanks in advace
Correct
I am able to see the correct certificate in the Digicert tool. I can also see its assigned to site
I am having no trouble with any of the methods of creating, installing and assigning the new certificate.
No one has responded to my original comment, "One blog indicated that I can replace the hash (thumbprint) in the Metabase, but I'm running IIS 7 and can't seem to find the equivalent editor to IIS 6."
Does this ring any bells? I've read that what was achieved with the II6 Metabase editor is now performed by editing .config files, but mine are conspicuously sparse.
Thanks in advace
How are you choosing the certificate you wish to apply, double check the date of expiration.
Open mmc, add/remove Snapins add certificates, machine, see if you have the certificate in the personal store.
This is fairly straight forward.
Please confirm the IP and hostname to which you go is the one I
That is in the VM..
Open mmc, add/remove Snapins add certificates, machine, see if you have the certificate in the personal store.
This is fairly straight forward.
Please confirm the IP and hostname to which you go is the one I
That is in the VM..
ASKER
Thanks Arnold.
It should be fairly straight forward.
That is problem. No one has yet suggested anything I haven't already tried.
I can't find anything wrong.
Except the results.
It should be fairly straight forward.
That is problem. No one has yet suggested anything I haven't already tried.
I can't find anything wrong.
Except the results.
God your sites have logging enabled, confirm which site is getting the traffic.
Please confirm the IP you are going to is the IP on which the site is bound
Check the LAN Ip of the systems/VM
Try connecting to it directly from the VMs browser.
Tests localhost...
Please confirm the IP you are going to is the IP on which the site is bound
Check the LAN Ip of the systems/VM
Try connecting to it directly from the VMs browser.
Tests localhost...
ASKER
No solution.
With you the do,e person who has access, we have to rely on you to confirm.
When you assign the certificate that is the right one, expiration.
Once that is done, the certificate if directly access will be presented by the server to the user.
The certificate in the computer personal store shoukd reflect that
Our back and forth should have resolved the issue, but it is unclear where the separation is.
When you assign the certificate that is the right one, expiration.
Once that is done, the certificate if directly access will be presented by the server to the user.
The certificate in the computer personal store shoukd reflect that
Our back and forth should have resolved the issue, but it is unclear where the separation is.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The common issue I ran into is that one assumes that one did everything right. And commonly even after looking for information or asking for help. The tendency is to dismiss a suggestion that you think you've tried already.
This is commonly in the know will chase down every other possible option before returning to recheck their own work.
A certificate and private key can only be assigned.
You mentioned you installed the certifcate. Is this the system on which the certficate was generated (CSR) was this a renewal of a prior generate CSR on Certificate issuing portal?
I usually use openssl to see what the certifiacte presented is while within IIS view what certificate is attached.
Whether you are going through a reverse or some other proxy.
Chasing down the intricacies and layout is effectively what has to be done.
if you look in the computer certificate store about this certificate, does it reflect the presence of the private key?
This is commonly in the know will chase down every other possible option before returning to recheck their own work.
A certificate and private key can only be assigned.
You mentioned you installed the certifcate. Is this the system on which the certficate was generated (CSR) was this a renewal of a prior generate CSR on Certificate issuing portal?
I usually use openssl to see what the certifiacte presented is while within IIS view what certificate is attached.
Whether you are going through a reverse or some other proxy.
Chasing down the intricacies and layout is effectively what has to be done.
if you look in the computer certificate store about this certificate, does it reflect the presence of the private key?