We help IT Professionals succeed at work.

Can't get SSL certificate to work

cindyfiller
cindyfiller asked
on
I moved my SSRS application to a new server.  My last step was to get my SSL certificate working for the new server.  I’ve done quite a few, but cannot get this one to work. It is through Godaddy and I’ve talked to them several times.  Today I was told that they aren’t training in certificates for IIS so they can’t help me.

I’ve followed the instructions in this article:  
https://www.godaddy.com/help/manually-install-an-ssl-certificate-on-my-iis-8-server-4951

But there is some misleading steps and I don’t know if that is why it isn’t working?  Step 14 says to upload the intermediate (.p7b) to MMC.  I’ve done that.  The next steps are in IIS and on step 22 it says to find your primary certificate that you previously uploaded.  There aren’t any steps that say to import it on MMC so I’m not quite sure what that means.  I complete the install of the primary certificate (.crt) on IIS and then do the bindings.  I then restart the services.  But the website never works.  On IIS everything looks ok.  I’ve actually started the old server and compared what I see in the 2 servers and they look the same.  I’m not sure what to do?  Any thoughts??
Comment
Watch Question

Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
It sounds like you might not have copied off the private key from the old server.
When you double-click on the server certificate in the MMC (on the new server), do you see this at the bottom?

You-have-a-private-key.jpg
If you don't, the certificate will not work.
cindyfillerDirector of IT

Author

Commented:
Didn't know I needed to do that!   I'd originally asked Godaddy how to transfer it to another server and they told me I couldn't.  I've googled this and find info on moving all certs to the new server, but nothing about the private key specifically.  Do you have info on moving just that or do I need to move all certificates.  Also, is this just the certs on MMC?  

Thanks for the info!
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
You only need to export (from the old server):
- the server certificate (make sure you tick the box that says you want to export the private key), and
- the intermediate certificate that issued the server certificate. There is no private key on the intermediate certificate.
cindyfillerDirector of IT

Author

Commented:
Thanks - I'll try it later and let you know...  I'm betting I'll have a question or two but will google first.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
No problem. If the new server already has the intermediate certificate in the Intermediate Certificate store, you don't even need to export that.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
[ ... soap box mode on ... ]

Never trust GoDaddy support.

[ ... soap box mode off ... ]
cindyfillerDirector of IT

Author

Commented:
David, I'm learning that!  I used to work with another company but they wanted to much documentation and everything took days to do... buy they also knew what they were doing!
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Documentation Aside: I've been hosting projects since 1994.

I have a text file for each project site, some files have over a decade of line items.

In each file, I record almost every command sequence I issue in ssh. Many of these files are 1000s of lines long.

Granular... detailed... documentation is the only way, for me anyway, to remember what I'd done related to one site out of 1000s I've worked on.

Documentation is your friend.

Keep enough so you can always restart from a given point on any project, even if years pass since last time you worked on a project.
cindyfillerDirector of IT

Author

Commented:
Sam, I started up the old server and when I look in MMC I actually don't find any Godaddy certificates that are for the original expiration date.  I do know when the old server is up the SSL site works fine.  I do have the root certificate authority in both and the class 2 certification authority in both - but those aren't the SSRS certificates.  

I'm not sure what to do now??  Any other ideas?  I'm trying to think if I removed those certs in the past few days thinking it might help... I may restore the server from a weekend backup and see if they are there then, but thought I'd reach out to you as well.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
The server certificates are in the personal store of the server.
Do you see any there?
If the SSL site works fine, then you should be able to see the certificate.
cindyfillerDirector of IT

Author

Commented:
I actually checked every area for certificates and don't see it in MMC at all...  Let me try restoring the server tonight - I know I was debating on Monday if I should try removing them.
cindyfillerDirector of IT

Author

Commented:
I did restore the vm from over the weekend and found the current cert.  I exported it with the private key.  I wasn't quite sure what to do at that point... tried this and it said it imported ok

https://wiki.cac.washington.edu/display/infra/Fixing+Certificate+Installation+Errors+on+Windows

But if I go into MMC I don't see this particular cert listed (based on the date - I had extended the SSL request before I regenerated it for the new server so the date is different).   I also wasn't sure what to do in IIS.  On the hope that just the import was needed I did try the SSL web address but it still isn't working which means I have no clue where to go from here.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
EE has this new feature which I've never tried … an online session.
Would you like to see if we can get you up and running?
cindyfillerDirector of IT

Author

Commented:
I would love it but is there a charge for that?
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
Nope … just one person trying to assist another.
I'll be busy with clients until around 12:30 PM EST.
Let me know a convenient time after that, and I'll let you know if I can jump on then.
cindyfillerDirector of IT

Author

Commented:
That is terrific.  Thank you for your kind offer.  I’m central time and am available any time that works for you!
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
OK … let's shoot for 1 PM EST (noon CST) … just about 3 hours from now.
cindyfillerDirector of IT

Author

Commented:
Fantastic.  And thank you so much.  Just let me know how to connect.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
I believe that you just need to have this page open, and I can initiate the connection.
This is the first time I'm trying this.
If we have any problems, I can always send you a GoToMeeting, which I use everyday for clients.
cindyfillerDirector of IT

Author

Commented:
Our network department confirmed that the firewall Nat does point to the new server.  

I ran an SSL checker and it resolves to the public IP address and shows all the specific certificate info with a check mark that it is correct.  I'm so confused!
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
Please ask them the following:
"If the firewall NAT points to the new server, why should anything I do to the OLD server (like unbinding the SSL certificate) affect it?"

Does the new server depend on anything running on the old server?
cindyfillerDirector of IT

Author

Commented:
Yea I told him what happened....  he doesn't know much about servers or SSL - just the firewall rules.  He suggested talking to a counter part of his - I'll try that tomorrow.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
Ok ... post back if you have any questions.
You can also email me directly (sjacobs@ipm.com).
cindyfillerDirector of IT

Author

Commented:
And no - nothing on the new server is dependent on the old server.  In all of my testing I keep that old server down to make sure there aren't any connections that I missed. Everything is working smoothly on the new server but the ssl.
cindyfillerDirector of IT

Author

Commented:
Thanks Sam!  I'm going to reach out to a SSRS guru in England and see if he has any ideas as well.  He wrote a program to do the migration so has been providing a lot of in on that end.
cindyfillerDirector of IT

Author

Commented:
Sam, the SSL site finally stopped going to the old server and once that happened I was able to tweak a setting and the site is now working.  I feel that our network department missed something and eventually fixed it - you confirmed that by the way the site was acting.  You've provided the best customer service/assistance a person could ever ask for.  Thank you so much for you help!
cindyfillerDirector of IT

Author

Commented:
I don't find a comment that specifically addressed the fact that the secure site kept going back to the old server so it had to be a DNS or NAT issue in the firewall.  Do you want to make that comment so I can give you credit for that answer.  That was something we discussed in the remote session.

AGain thanks!
Citrix Technology Professional / Director of TechDev Services, IPM
Commented:
Hi Cindy,

You are most welcome. The fact that the issue appeared when something was done to the old server was a giveaway that the NAT was still pointing to the old server.

Regards,
-Sam
cindyfillerDirector of IT

Author

Commented:
Sam was the most helpful person I've worked with in Experts-exchange.   He even offered to do a remote session to see if he could figure out the problem.  He was able to point me in the right direction based on that session.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM

Commented:
HI Cindy,

Thanks for the kind words.

Best,
-Sam