Re: SSL and Server Certificates
From: Karl Westerholm [MS] (karlwestonline@microsoft.com)
Date: 07/09/02
- Next message: Karl Westerholm [MS]: "Re: SSL in intranet"
- Previous message: Sean Thompson: "Re: NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN"
- In reply to: Gary McDonnell: "Re: SSL and Server Certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: karlwestonline@microsoft.com (Karl Westerholm [MS]) Date: Tue, 09 Jul 2002 20:58:57 GMT
It is always best to find the bit that is flipped to cause things to fail,
but if it is working now that is at least a good thing. Although we may
not know exactly what might have caused the failure to display the page in
this scenario, here is a general SSL-related troubleshooting strategy that
may come in handy in the future:
1.) I'll usually test connectivity first by using a remote machine on the
'user' side of any firewalls to fire up your telnet-application-of-choice
to attempt a direct connect on port 443 to the IP address in question. If
you are unable to even establish a connection on 443 then you know there
may be some form of port blocking at work. (be sure to use the VIP/NAT'ed
IP in use at firewall rather then internal IP of IIS box if
NAT/load-balancing is in use)
2.) If you execute a 'netstat -an' command on the IIS server, you can
determine whether the server itself is even listening on port 443. Run
this command several times, both before and after issuing a 'net stop
iisadmin /y'. In some cases it may not be listening on the port desired
even when IIS is started, or you might also discover that some *other*
application is still monopolizing port 443 after you have stopped IIS.
3.) Always confirm whether SSL is working using a browser located on the
IIS server itself (with all Proxy settings disabled) using both the
windowsmachinename & IP address.
4.) Assuming you can connect to the server internally/externally confirm
whether you can at least get as far as seeing a certificate dialog box & if
so 'view certificate' & examine its properties. In some cases, problems
with the certificate may prevent a browser from connecting altogether. In
particular, confirm the 'valid from/valid to' dates are proper for the
cert, and that the 'CN' (common name) of the certificate matches the way
the browser is connecting to it. (i.e., if your users will connect in
browser via 'http://windowsmachinename' your CN should =
'windowsmachinename'. If users connect via
'http://fully.qualified.domain.name' then CN should =
'fully.qualified.domain.name'
5.) Insure host headers & SSL are not in use, unless the site using SSL is
using its own unique IP address seperate from any sites using host headers:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q187504
Regards,
-->Karl
“Please do not send email directly to this alias. This is our online
account name for newsgroup participation only.”
This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.
--------------------
| From: "Gary McDonnell" <garymcdonnell@hotmail.com>
| References: <uLs317tJCHA.2032@tkmsftngp08> <6#xTMduJCHA.2016@cpmsftngxa07>
| Subject: Re: SSL and Server Certificates
| Date: Mon, 8 Jul 2002 23:45:49 -0500
| Lines: 93
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 5.50.4522.1200
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
| Message-ID: <#ZnPGMwJCHA.2548@tkmsftngp11>
| Newsgroups: microsoft.public.inetserver.iis.security
| NNTP-Posting-Host: 65.66.243.165
| Path: cpmsftngxa07!tkmsftngp01!tkmsftngp11
| Xref: cpmsftngxa07 microsoft.public.inetserver.iis.security:8295
| X-Tomcat-NG: microsoft.public.inetserver.iis.security
|
| A complete reinstall of the certificate server, a rerun of SP2 and a
| recreation of the certificates seems to have solved my problem. It bugs me
| when I don't know exactly how I got something to work, but I did.
|
| Thank you David for your pointer to the article. It did help me understand
| things somewhat better.
|
| /gary mcdonnell
|
| ""David Wang [MS]"" <someone@online.microsoft.com> wrote in message
| news:6#xTMduJCHA.2016@cpmsftngxa07...
| Greetings,
|
| Check through this KB article and see if it does the trick:
|
| http://support.microsoft.com/default.aspx?scid=kb;EN-US;q295070
|
| Assuming that you are ultimately able to successfully connect via HTTPS
| from externally, albeit slowly, it is probably timing out on either the
CRL
| or AIA check. (the browser, that is)
|
| On a self-issued certificate (i.e., one issued by a Certificate Server
| 2.0 CA) I'll bet the CRL/AIA links contained in the certificate are
| pointing to links such as these:
| 'http://servername/CertEnroll/CArootCertifiateName.crl' or
| 'http://servername/CertEnroll/CAserverName_CArootCertifiateName.crt' (for
| example)
|
| The 'servername' is not resolvable externally, and ultimately times out
| for name resolution, leading to the delays. If this is the problem, you
| may still have to reissue a new certificate with externally-accessible
| CRL/AIA links, however the KB describes how to do this with a Cert Server
| 2.0 CA if needed.
|
| Regards,
| -->Karl
|
|
| “Please do not send email directly to this alias. This is our online
| account name for newsgroup participation only.”
|
| This posting is provided “AS IS” with no warranties, and confers no
rights.
| You assume all risk for your use. © 2001 Microsoft Corporation. All rights
| reserved.
|
| --------------------
| | From: "Gary McDonnell" <garymcdonnell@hotmail.com>
| | Subject: SSL and Server Certificates
| | Date: Mon, 8 Jul 2002 18:33:38 -0500
| | Lines: 24
| | X-Priority: 3
| | X-MSMail-Priority: Normal
| | X-Newsreader: Microsoft Outlook Express 5.50.4522.1200
| | X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
| | Message-ID: <uLs317tJCHA.2032@tkmsftngp08>
| | Newsgroups: microsoft.public.inetserver.iis.security
| | NNTP-Posting-Host: 65.66.243.165
| | Path: cpmsftngxa07!tkmsftngp01!tkmsftngp08
| | Xref: cpmsftngxa07 microsoft.public.inetserver.iis.security:8287
| | X-Tomcat-NG: microsoft.public.inetserver.iis.security
| |
| | Hello all,
| |
| | I suddenly find myself with the need to set up a secure (https) web site
| in
| | IIS 5 / Windows 2000 Server. I'm pretty familiar with IIS, but I've not
| ever
| | messed with server certificates, certificate authorities, etc. My first
| | attempt has not gone smoothly.
| |
| | The environment is a single W2K server network with Active Directory.
The
| | server sits behind a firewall that does network address translation.
I've
| | opened port 443 through the firewall to the server from a public
address.
| | Port 80 is already open as the server currently hosts about 10 small web
| | sites (this will be the only SSL site on the server).
| |
| | I've added Certificate Services to the server and requested/received a
| | certificate from it. Browsers outside the internal network get to the
site
| | eventually, but it takes them forever (the name resolves quickly and
| other,
| | non SSL sites come right up). Browsers inside the firewall bring the
site
| up
| | quickly.
| |
| | What am I doing wrong?
| |
| | /gary mcdonnell
| |
| |
| |
|
|
|
|
- Next message: Karl Westerholm [MS]: "Re: SSL in intranet"
- Previous message: Sean Thompson: "Re: NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN"
- In reply to: Gary McDonnell: "Re: SSL and Server Certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
