SSL stops working on IIS7 after a reboot

ssl ssl-certificate iis-7

I have a Windows 2008 Server with IIS7. Every time the server reboots, SSL stops working.

Normal HTTP requests work fine, but any request to an HTTPS address gives the typical error message in the browser:

Cannot find server or DNS

I can temporarily fix it by opening IIS Manager and bring up the Bindings… window for the website in question. Then I select “https”, click on “Edit” then click “Ok” without making any changes to the settings. After doing this, browsing to https:// works again until the next reboot.

This issue look as lot like the one described here, but according to the Certificates MMC snapin, the certificate in question does have a private key. I'm also pretty sure that I never installed the certificate in the personal store, but imported it straight into the machine store, but it's been a while...

There's not a lot in the event log apart from the event ID 36870 also described in the post I linked to.

Can anyone help me troubleshoot this issue so that SSL will work even after a server reboot?


Solution 1:

Something else that comes to mind would be a service that is trying to bind to your SSL port during startup. Do you have another SSL site or another server that's trying to listen on that port by any chance? If so, can you temporarily disable that server or switch the site to a different port to see if that allows your SSL site to come up?

Solution 2:

Does your certificate need/require any intermediate certificates that might not have been installed? There are plenty of sites that sell certificates now that are not root authorities, GoDaddy is a good example. In addition to your certificate you ahve to install their intermediate certificates for the chain of authority. Have you verified that you do not need these and/or they are installed if you do? Also, how is your current binding configured - do you have an IP specified and/or a hostname specified? If not have you tried specifying either one or both of those in your binding? That would really be more of a workaround than a resolution, but it could clarify if something like squillman stated was the case, and if it worked would also confirm your statement that your private key/certificate store are not corrupt.

Solution 3:

This was the solution for me:

http://blogs.msdn.com/b/asiatech/archive/2013/03/25/case-study-ssl-does-not-work-in-iis-7-5-after-server-reboots.aspx

Delete the certificate from the computer store and import it again. Don't drag and drop it from the user store.

Related

SSH: Configure ssh_config to use specific key file for a specific server fingerprint
Does adding an user to the apache group creates a security hole?
Is there any way to build a linux software raid system without all drives?
How do I prevent one IP from creating a DNS entry on a multi-homed server?
Connecting to SQL server instance on VM via host-only network
IP Table, what does this construct mean ::INPUT ACCEPT [0:0]
Varnish purge on POST or PUT
How to disable ICMP redirect packets in Cisco IOS?
Linux Load Averages and HyperThreads
iSCSI SAN - Network adapter bottleneck
Authenticating to Exchange 2010 smarthost?
RAID card w/1x mini-SAS connector : how do I physically connect 16 disks?