asked on Can't get SSL certificate to work
I moved my SSRS application to a new server. My last step was to get my SSL certificate working for the new server. I’ve done quite a few, but cannot get this one to work. It is through Godaddy and I’ve talked to them several times. Today I was told that they aren’t training in certificates for IIS so they can’t help me.
I’ve followed the instructions in this article:
https://www.godaddy.com/help/manually-install-an-ssl-certificate-on-my-iis-8-server-4951
But there is some misleading steps and I don’t know if that is why it isn’t working? Step 14 says to upload the intermediate (.p7b) to MMC. I’ve done that. The next steps are in IIS and on step 22 it says to find your primary certificate that you previously uploaded. There aren’t any steps that say to import it on MMC so I’m not quite sure what that means. I complete the install of the primary certificate (.crt) on IIS and then do the bindings. I then restart the services. But the website never works. On IIS everything looks ok. I’ve actually started the old server and compared what I see in the 2 servers and they look the same. I’m not sure what to do? Any thoughts??
I’ve followed the instructions in this article:
https://www.godaddy.com/help/manually-install-an-ssl-certificate-on-my-iis-8-server-4951
But there is some misleading steps and I don’t know if that is why it isn’t working? Step 14 says to upload the intermediate (.p7b) to MMC. I’ve done that. The next steps are in IIS and on step 22 it says to find your primary certificate that you previously uploaded. There aren’t any steps that say to import it on MMC so I’m not quite sure what that means. I complete the install of the primary certificate (.crt) on IIS and then do the bindings. I then restart the services. But the website never works. On IIS everything looks ok. I’ve actually started the old server and compared what I see in the 2 servers and they look the same. I’m not sure what to do? Any thoughts??
SSL / HTTPSSSRSMicrosoft Server OSMicrosoft SQL Server
Last Comment
Sam Jacobs
ASKER
Didn't know I needed to do that! I'd originally asked Godaddy how to transfer it to another server and they told me I couldn't. I've googled this and find info on moving all certs to the new server, but nothing about the private key specifically. Do you have info on moving just that or do I need to move all certificates. Also, is this just the certs on MMC?
Thanks for the info!
Thanks for the info!
You only need to export (from the old server):
- the server certificate (make sure you tick the box that says you want to export the private key), and
- the intermediate certificate that issued the server certificate. There is no private key on the intermediate certificate.
- the server certificate (make sure you tick the box that says you want to export the private key), and
- the intermediate certificate that issued the server certificate. There is no private key on the intermediate certificate.
ASKER
Thanks - I'll try it later and let you know... I'm betting I'll have a question or two but will google first.
No problem. If the new server already has the intermediate certificate in the Intermediate Certificate store, you don't even need to export that.
[ ... soap box mode on ... ]
Never trust GoDaddy support.
[ ... soap box mode off ... ]
Never trust GoDaddy support.
[ ... soap box mode off ... ]
ASKER
David, I'm learning that! I used to work with another company but they wanted to much documentation and everything took days to do... buy they also knew what they were doing!
Documentation Aside: I've been hosting projects since 1994.
I have a text file for each project site, some files have over a decade of line items.
In each file, I record almost every command sequence I issue in ssh. Many of these files are 1000s of lines long.
Granular... detailed... documentation is the only way, for me anyway, to remember what I'd done related to one site out of 1000s I've worked on.
Documentation is your friend.
Keep enough so you can always restart from a given point on any project, even if years pass since last time you worked on a project.
I have a text file for each project site, some files have over a decade of line items.
In each file, I record almost every command sequence I issue in ssh. Many of these files are 1000s of lines long.
Granular... detailed... documentation is the only way, for me anyway, to remember what I'd done related to one site out of 1000s I've worked on.
Documentation is your friend.
Keep enough so you can always restart from a given point on any project, even if years pass since last time you worked on a project.
ASKER
Sam, I started up the old server and when I look in MMC I actually don't find any Godaddy certificates that are for the original expiration date. I do know when the old server is up the SSL site works fine. I do have the root certificate authority in both and the class 2 certification authority in both - but those aren't the SSRS certificates.
I'm not sure what to do now?? Any other ideas? I'm trying to think if I removed those certs in the past few days thinking it might help... I may restore the server from a weekend backup and see if they are there then, but thought I'd reach out to you as well.
I'm not sure what to do now?? Any other ideas? I'm trying to think if I removed those certs in the past few days thinking it might help... I may restore the server from a weekend backup and see if they are there then, but thought I'd reach out to you as well.
The server certificates are in the personal store of the server.
Do you see any there?
If the SSL site works fine, then you should be able to see the certificate.
Do you see any there?
If the SSL site works fine, then you should be able to see the certificate.
ASKER
I actually checked every area for certificates and don't see it in MMC at all... Let me try restoring the server tonight - I know I was debating on Monday if I should try removing them.
ASKER
I did restore the vm from over the weekend and found the current cert. I exported it with the private key. I wasn't quite sure what to do at that point... tried this and it said it imported ok
https://wiki.cac.washington.edu/display/infra/Fixing+Certificate+Installation+Errors+on+Windows
But if I go into MMC I don't see this particular cert listed (based on the date - I had extended the SSL request before I regenerated it for the new server so the date is different). I also wasn't sure what to do in IIS. On the hope that just the import was needed I did try the SSL web address but it still isn't working which means I have no clue where to go from here.
https://wiki.cac.washington.edu/display/infra/Fixing+Certificate+Installation+Errors+on+Windows
But if I go into MMC I don't see this particular cert listed (based on the date - I had extended the SSL request before I regenerated it for the new server so the date is different). I also wasn't sure what to do in IIS. On the hope that just the import was needed I did try the SSL web address but it still isn't working which means I have no clue where to go from here.
EE has this new feature which I've never tried … an online session.
Would you like to see if we can get you up and running?
Would you like to see if we can get you up and running?
ASKER
I would love it but is there a charge for that?
Nope … just one person trying to assist another.
I'll be busy with clients until around 12:30 PM EST.
Let me know a convenient time after that, and I'll let you know if I can jump on then.
I'll be busy with clients until around 12:30 PM EST.
Let me know a convenient time after that, and I'll let you know if I can jump on then.
ASKER
That is terrific. Thank you for your kind offer. I’m central time and am available any time that works for you!
OK … let's shoot for 1 PM EST (noon CST) … just about 3 hours from now.
ASKER
Fantastic. And thank you so much. Just let me know how to connect.
I believe that you just need to have this page open, and I can initiate the connection.
This is the first time I'm trying this.
If we have any problems, I can always send you a GoToMeeting, which I use everyday for clients.
This is the first time I'm trying this.
If we have any problems, I can always send you a GoToMeeting, which I use everyday for clients.
ASKER
Our network department confirmed that the firewall Nat does point to the new server.
I ran an SSL checker and it resolves to the public IP address and shows all the specific certificate info with a check mark that it is correct. I'm so confused!
I ran an SSL checker and it resolves to the public IP address and shows all the specific certificate info with a check mark that it is correct. I'm so confused!
Please ask them the following:
"If the firewall NAT points to the new server, why should anything I do to the OLD server (like unbinding the SSL certificate) affect it?"
Does the new server depend on anything running on the old server?
"If the firewall NAT points to the new server, why should anything I do to the OLD server (like unbinding the SSL certificate) affect it?"
Does the new server depend on anything running on the old server?
ASKER
Yea I told him what happened.... he doesn't know much about servers or SSL - just the firewall rules. He suggested talking to a counter part of his - I'll try that tomorrow.
Ok ... post back if you have any questions.
You can also email me directly (sjacobs@ipm.com).
You can also email me directly (sjacobs@ipm.com).
ASKER
And no - nothing on the new server is dependent on the old server. In all of my testing I keep that old server down to make sure there aren't any connections that I missed. Everything is working smoothly on the new server but the ssl.
ASKER
Thanks Sam! I'm going to reach out to a SSRS guru in England and see if he has any ideas as well. He wrote a program to do the migration so has been providing a lot of in on that end.
ASKER
Sam, the SSL site finally stopped going to the old server and once that happened I was able to tweak a setting and the site is now working. I feel that our network department missed something and eventually fixed it - you confirmed that by the way the site was acting. You've provided the best customer service/assistance a person could ever ask for. Thank you so much for you help!
ASKER
I don't find a comment that specifically addressed the fact that the secure site kept going back to the old server so it had to be a DNS or NAT issue in the firewall. Do you want to make that comment so I can give you credit for that answer. That was something we discussed in the remote session.
AGain thanks!
AGain thanks!
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Sam was the most helpful person I've worked with in Experts-exchange. He even offered to do a remote session to see if he could figure out the problem. He was able to point me in the right direction based on that session.
HI Cindy,
Thanks for the kind words.
Best,
-Sam
Thanks for the kind words.
Best,
-Sam
When you double-click on the server certificate in the MMC (on the new server), do you see this at the bottom?
If you don't, the certificate will not work.