Troubleshooting SSL in IIS
Terri Donahue @ OrcsWeb was helping a client with an SSL problem recently and wrote up this nice guest post below to help anyone else who may be in a similar troubleshooting situation.
-------------------------------------------------------------I encountered a very interesting SSL issue while resolving a problem for a client this week. An SSL certificate was installed on a 3 node web farm but only worked on the initial node where the certificate was installed. All intermediate and root certificates were installed correctly and no errors were reported with the certificate itself. When the expiring certificate was bound to the website, the site would load as expected. As soon as the new certificate, issued by a different CA, was installed, the website started returning an error: “Cannot find server or DNS error”. This was a very descriptive error and pointed right to the issue, right? :) There was nothing logged in Event Viewer or the local web logs to aid in troubleshooting this issue. Enter Microsoft’s SSL Diagnostic utility. There are multiple versions that can be downloaded to aid in resolving issues like this one. They can be downloaded from the following locations: 32-bit - http://www.microsoft.com/download/en/details.aspx?id=674
64bit - http://www.microsoft.com/download/en/confirmation.aspx?id=5329 The utility queries the metabase and returns all pertinent information related to the website including SSL certificates. Here is sample output that the utility creates: [ W3SVC/1574480769 ]
ServerComment = domain.com
ServerAutoStart = True
ServerState = Server started
#Impersonated server account
SSLCertHash = b4 be fd 64 83 b8 92 50 df 36 21 5d e1 bc f4 f4 cd 2b 96 14
SSLStoreName = MY
#CertName = www.domain.com
#You have a private key that corresponds to this certificate
#ContainerName='{EC491630-C400-4AAF-B644-EFEB4BFDC9F3}'
#ProvName='Microsoft RSA SChannel Cryptographic Provider' ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: O=www.domain.com, OU=Domain Control Validated, CN=www.domain.com
#Issuer: C=US, S=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.",
OU=http://certificates.starfieldtech.com/repository, CN=Starfield Secure Certification Authority, SERIALNUMBER=10688435
#Validity: From 11/14/2011 5:00:36 PM To 11/14/2012 5:00:36 PM
CertVerifyCertificateChainPolicy succeeded
SecureBindings = 192.168.1.1:443:
[ W3SVC/16 ]
ServerComment = test.domain.com
ServerAutoStart = True
ServerState = Server started
#Impersonated server account
SSLCertHash = 0d 17 d0 4f bd 92 4f 55 27 80 ea 20 db a1 4d 97 97 53 3d 47
SSLStoreName = MY
#CertName = test.domain.com
#You have a private key that corresponds to this certificate
#ContainerName='{D2188304-709C-4B30-86A0-CD3BD8B247EF}'
#ProvName='Microsoft RSA SChannel Cryptographic Provider' ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: O=test.domain.com, OU=Domain Validated, OU=Go to https://www.thawte.com/repository/index.html, OU=Thawte SSL123 certificate, CN=test.domain.com
#Issuer: C=ZA, S=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA, E=server-certs@thawte.com
#Validity: From 1/3/2006 11:43:37 AM To 1/3/2008 4:14:07 AM
#WARNING:CertVerifyCertificateChainPolicy returned error -2146762495(0x800b0101)
SecureBindings = 127.0.0.1:443:
As you can see from the output, the www.domain.com site shows no errors and the test.domain.com displays that there is a problem with the certificate chain. Using this information, you can then work toward correcting the certificate chain problem to get your test.domain.com SSL certificate working. The www.domain.com certificate is the one that I was troubleshooting at the time. As you can see from the output, the certificate was valid and should have worked. Within the SSL Diagnostics application, you can right click on a website listed and choose to Simulate SSL Handshake. This will test the actual process of accessing and receiving data from a site that is using SSL. Finally, I was able to get an actual error and start researching the resolution of the problem rather than looking at a generic meaningless error: System time: Tue, 15 Nov 2011 21:21:55 GMT
Connecting to 66.129.67.156:443
Connected
Handshake: 42 bytes sent
#WARNING:Handshake: unspecified error receiving data
#WARNING:Handshake: 0x80090304 (-2146893052) error
Using this information, I was able to Google the error and find the solution to my problem. As we all know, SSL is very important and troubleshooting certificate issues can be difficult. Microsoft’s SSL Diagnostics utility can provide the added assistance that we need to quickly and efficiently resolve SSL errors. Check it out the next time you run into an SSL issue that is stumping you. Terri Donahue
Support Specialist
MCSE 2003 + Security
OrcsWeb Managed Hosting Solutions
Remarkable Service. Remarkable Support.
www.orcsweb.com
-------------------------------------------------------------
Happy Hosting!