locked
IIS SSL binding certificate lost on server restart - 2008 R2 IIS7.5 RRS feed

  • Question

  • Hey,
    For a company I work at, I've recently had to migrate a horde of sites from IIS6 to IIS7.5 (using the MS deploy tools). This included many many sites which share a wildcard SSL certificate. Since ironing out bumps with the sites I just discovered that whenever the new server (2008 R2) reboots SSL is broken on all the sites, as the generic SSL binding for the sites is no longer bound to the correct certificate.
    I found this (http://support.microsoft.com/kb/2025598) article which exactly matches my experience and symptoms, except it's solution doesn't work - our applicationhost.config has no id="5506" entries. 

    I'd love this to be solved so the server is safe to reboot. Any help greatly appreciated.

    I'd posted this in Windows Server - General but was suggested to repost it here.

    Thursday, October 25, 2012 12:54 AM

Answers

  • I had the same problem on two test servers running Windows Server 2008.  Whenever the servers were re-booted, the SSL binding to the website was "lost".  HTTPS:  didn't work and HTTP:  worked.  Previously, I would just un-bind the SSL certificate and re-bind.  However, on next reboot, same problem.

    Finally, I tried something different out of frustration.

    1: Export the SSL certificate and key into a .pfx file

    2: Un-bind the SSL certificate from the website

    3: Delete the SSL certificate.  I used MMC with the Certificates snap-in.  I also deleted the default SSL certificate that gets automatically created during installation.  The SSL cert with the "weird" name that you'll probably never use.

    4: Import the SSL certificate from the .pfx file into the Local Computer Personal Certificates.

    5: Bind the SSL certificate to the website.

    I know that this seems silly and un-necessary.  However, it worked for me.  My SSL problems on the two test servers went away.  I did this in February and no problems since.

    Since you have many servers, it would be a significant amount of manual work.  You would only need to export the wildcard SSL certificate and key once to a .pfx file and copy the .pfx file to each server.

    Try this on a server and see if SSL works for you after rebooting.

    Good luck.

    • Proposed as answer by gw_777 Tuesday, October 30, 2012 3:13 PM
    • Marked as answer by 朱鸿文 Monday, November 5, 2012 1:25 AM
    Tuesday, October 30, 2012 3:12 PM
  • Hi Ben,

    Please first check if we add valid certificate to the Website. If so, as the KB mentioned there some thing wrong with IIS, so please submite this question to IIS forum.

    Windows Server Forums Windows Server 2008 R2 Web Technologies - Read Only

    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by 朱鸿文 Monday, November 5, 2012 1:25 AM
    Friday, October 26, 2012 3:31 AM

All replies

  • Hi Ben,

    Thanks for posting in Microsoft TechNet forums.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
     
    Thank you for your understanding and support.

    Regards

    Kevin
    Friday, October 26, 2012 1:56 AM
  • Hi Ben,

    Please first check if we add valid certificate to the Website. If so, as the KB mentioned there some thing wrong with IIS, so please submite this question to IIS forum.

    Windows Server Forums Windows Server 2008 R2 Web Technologies - Read Only

    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by 朱鸿文 Monday, November 5, 2012 1:25 AM
    Friday, October 26, 2012 3:31 AM
  • Hey Jason,

    Yep, valid certificate. Recently renewed and correctly applied to server - tested working.

    I'd posted this also to IIS.Net, so I'll check it's progress there.

    Thanks,

    Ben.

    Monday, October 29, 2012 11:29 PM
  • Hi Ben,

    Please let me know once you have any updates on the ISS forum.


    Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, October 30, 2012 3:09 AM
  • I had the same problem on two test servers running Windows Server 2008.  Whenever the servers were re-booted, the SSL binding to the website was "lost".  HTTPS:  didn't work and HTTP:  worked.  Previously, I would just un-bind the SSL certificate and re-bind.  However, on next reboot, same problem.

    Finally, I tried something different out of frustration.

    1: Export the SSL certificate and key into a .pfx file

    2: Un-bind the SSL certificate from the website

    3: Delete the SSL certificate.  I used MMC with the Certificates snap-in.  I also deleted the default SSL certificate that gets automatically created during installation.  The SSL cert with the "weird" name that you'll probably never use.

    4: Import the SSL certificate from the .pfx file into the Local Computer Personal Certificates.

    5: Bind the SSL certificate to the website.

    I know that this seems silly and un-necessary.  However, it worked for me.  My SSL problems on the two test servers went away.  I did this in February and no problems since.

    Since you have many servers, it would be a significant amount of manual work.  You would only need to export the wildcard SSL certificate and key once to a .pfx file and copy the .pfx file to each server.

    Try this on a server and see if SSL works for you after rebooting.

    Good luck.

    • Proposed as answer by gw_777 Tuesday, October 30, 2012 3:13 PM
    • Marked as answer by 朱鸿文 Monday, November 5, 2012 1:25 AM
    Tuesday, October 30, 2012 3:12 PM