none
Error con certificado SSL RRS feed

  • Pregunta

  • Hola buenas,

    Al intentar editar el binding de un sitio web en IIS, y previamente habiéndolo importado al almacén de certificados y también mediante el IIS, recibo el siguiente error cuando intento cambiar el certificado viejo por el nuevo:

    "Error al llevar a cabo esta operación.

    Detalles:

    Una sesión de inicio especificada no existe. Es posible que haya finalizado." 

    Como dato adicional tengo el ID del evento que arroja el visor, es el 36870, origen Schannel, indica lo siguiente: "Error irrecuperable al intentar tener acceso a la clave privada de la credencial SSL servidor. El código de error devuelto del módulo criptográfico es 0x8009030d. El estado de error interno es 10001."

    Sabrán cual podría ser la razón? Gracias

    Saludos.


    • Editado cmuska lunes, 9 de septiembre de 2019 15:37
    lunes, 9 de septiembre de 2019 14:43

Respuestas

  • Hola, CMUSKA:

    Cualquiera de estas 8 posibles soluciones son perfectamente válidas para tu caso:

    1.- If the certificate is not considered valid by the schannel provider (due DC Cert is not trusted, DC is not able to validate that the CA is trusted, ertificate is expiredor revoked), the schannel provider will reject the cert.
    Please determine if the certificate is failing validation checking by using RUN > CERTUTIL and correct the issues that certutil reports (expired CRL, server isn't reachable on the network, CRL isn't published to the location as expected, etc.)
    Also, you may use the "dsstore -dcmon" command and look at a verbose display. Then, correct the trust chain on the certificate that you are using for schannel.

    2.- Export the cert out (with private key) then reimport again, or import to other machine, and export from there and import back to this machine.

    3.- Go to the properties of the DOCUMENTS AND SETTINGS\ALL USERS folder > SECURITY tab > ADVANCED > select the RESET PERMISSIONS ON ALL CHILS OBJECTS > select OK.
    Try the websites out again.

    4.- There are 4 main IIS troubleshooting steps to take when you cannot make a successful SSL connection:
    .- Is the SSL ISAPI filter installed? It should be at the master level, and is called SSPIFILT
    .- In the IIS MMC, on the Web Site tab of the site's Properties page, is the SSL port correct & enabled?
    .- Host Headers and SSL should not be attempted to work in conjunction. Completely disable your Host Headers when troubleshooting SSL.
    .- Try generating a new certificate.

    5.- Assign full control to the Administrators group into the "C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS" folder

    6.- This occurs after you have reinstalled your server or you had a server crash. The recommended resolution is to import your private key backup file (.pfx file) using the instructions in Thatwte Solution SO5288. Please check the private key in the MICROSOFT > CRYPTO > MACHINEKEYS > RSA directory. If it has no permissions on it at all changed it to have all permissions, and then it should work.

    7.- Re-import the certificate directly into the computer personal hive.

    8.- Move CA certificate to Trusted Root Certificate Authorities and problem will be solved.

    RSS: EVENTID.NET

    Desiderio Ondo || Engineer

    • Marcado como respuesta cmuska martes, 10 de septiembre de 2019 14:16
    martes, 10 de septiembre de 2019 9:24

Todas las respuestas

  • Hola, CMUSKA:

    Cualquiera de estas 8 posibles soluciones son perfectamente válidas para tu caso:

    1.- If the certificate is not considered valid by the schannel provider (due DC Cert is not trusted, DC is not able to validate that the CA is trusted, ertificate is expiredor revoked), the schannel provider will reject the cert.
    Please determine if the certificate is failing validation checking by using RUN > CERTUTIL and correct the issues that certutil reports (expired CRL, server isn't reachable on the network, CRL isn't published to the location as expected, etc.)
    Also, you may use the "dsstore -dcmon" command and look at a verbose display. Then, correct the trust chain on the certificate that you are using for schannel.

    2.- Export the cert out (with private key) then reimport again, or import to other machine, and export from there and import back to this machine.

    3.- Go to the properties of the DOCUMENTS AND SETTINGS\ALL USERS folder > SECURITY tab > ADVANCED > select the RESET PERMISSIONS ON ALL CHILS OBJECTS > select OK.
    Try the websites out again.

    4.- There are 4 main IIS troubleshooting steps to take when you cannot make a successful SSL connection:
    .- Is the SSL ISAPI filter installed? It should be at the master level, and is called SSPIFILT
    .- In the IIS MMC, on the Web Site tab of the site's Properties page, is the SSL port correct & enabled?
    .- Host Headers and SSL should not be attempted to work in conjunction. Completely disable your Host Headers when troubleshooting SSL.
    .- Try generating a new certificate.

    5.- Assign full control to the Administrators group into the "C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS" folder

    6.- This occurs after you have reinstalled your server or you had a server crash. The recommended resolution is to import your private key backup file (.pfx file) using the instructions in Thatwte Solution SO5288. Please check the private key in the MICROSOFT > CRYPTO > MACHINEKEYS > RSA directory. If it has no permissions on it at all changed it to have all permissions, and then it should work.

    7.- Re-import the certificate directly into the computer personal hive.

    8.- Move CA certificate to Trusted Root Certificate Authorities and problem will be solved.

    RSS: EVENTID.NET

    Desiderio Ondo || Engineer

    • Marcado como respuesta cmuska martes, 10 de septiembre de 2019 14:16
    martes, 10 de septiembre de 2019 9:24
  • ¿El certificado tiene correctamente integrada su llave privada?

    Su "marcar como respuesta" es mi sueldo :D

    martes, 10 de septiembre de 2019 13:47
  • Hola buenas,

    Gracias por tu respuesta, intentare con las soluciones que me comentas.

    Saludos. :)

    martes, 10 de septiembre de 2019 14:16