Re: SSL blues
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/11/05
- Next message: Joe: "Re: IIS6 Network Service Identity - when needed?"
- Previous message: David Wang [Msft]: "Re: IIS 6.0 Unattended install"
- In reply to: Rory Clark: "SSL blues"
- Next in thread: Rory Clark: "Re: SSL blues"
- Reply: Rory Clark: "Re: SSL blues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Feb 2005 02:10:11 -0800
Usually, once SSLDiag says your server side configuration looks good and it
could communicate, "Cannot finds erver or DNS error" indicate DNS sort of
issues outside of IIS control.
Please verify:
1. If you do not see any success/error corresponding to your SSL requests in
W3SVC and HTTP Error Logs (subdirs under %SYSTEMROOT%\System32\LogFiles ),
then the request isn't getting to IIS.
2. Make sure that something is listening on port 443. netstat -ano should
tell you really fast
3. If you've configured IPListenList in the past, now is the time to revise
them since you said you're taking control...
4. Start looking at firewalls or your ISP blocking ports.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Rory Clark" <rory@online.stopped-motion.com> wrote in message news:OiM$Q59DFHA.3888@TK2MSFTNGP09.phx.gbl... I'm trying to set up SSL on my web site (http://www.stopped-motion.com) and I can't seem to get it to work. The machine is running Win2k3 with IIS6 and the site is authored in ASP.Net and C#. This is a web server with multiple domains sitting on it as virtual servers through the use of host headers. I got the certificate from my certificate authority and followed their instructions for installing via the Certificate Wizard. No problems. I fired up IE to verify that every thing worked and got the dreaded "Cannot find server or DNS error" message. As a note, and this may be important or not, I could hit the site through HTTP just fine. HTTPS was the only one being problematic. Originally, this domain used host header names for its bindings and I remembered reading somewhere that host headers don't work with SSL because the host header is part of the encrypted data. With that in hand, I went to my ISP and got another IP address to bind to the NIC. Next stop on the way was to update DNS records to point to the new IP. In the meantime, I edited my HOSTS to force the resolution of the DNS name to the new IP for testing. When I hit the page, I got the same error as before. If I hit F5 a lot a lot, I confirmed that IE was pinging the right address. I then went through every other website on the box and set the IP bindings to bind to the old IP. This website has 3 identities (new IP + p80, old IP + p80 + stopped-motion.com, and old IP + p80 + www.stopped-motion.com) and 1 SSL identity (new IP + p443). I still get the error. When I run SSL Diag, this is the output for the server: System time: Fri, 11 Feb 2005 00:29:47 GMT ModuleFileName: C:\Program Files\IIS Resources\SSLDiag\SSLDiag.exe OS: Windows 2003 IIS6 - World Wide Web Publishing (W3SVC) service is installed [ HKLM\System\CurrentControlSet\Services\HTTPFilter ] ImagePath = C:\WINNT\system32\inetsrv\inetinfo.exe Parameters\CertChainCacheOnlyUrlRetrieval = True(default) strmfilt.dll loaded into process 3228 (inetinfo.exe) [ SChannel Info ] ServerCacheEntries = 0 ServerActiveEntries = 0 ServerHandshakes = 16 ServerReconnects = 9 CacheSize = 10000 And for the site: [ W3SVC/603546932 ] ServerComment = stopped-motion.com ServerAutoStart = True ServerState = Server started #Impersonated server account SSLCertHash = 30 76 f5 61 e5 c7 d6 ce 3a 5c 6a 59 3b fa 7a 70 10 e4 52 13 SSLStoreName = MY #CertName = www.stopped-motion.com #You have a private key that corresponds to this certificate #ContainerName='663bb2512faa871f2869b67babfc8cdc_0c8010a7-032a-4341-a40f-0e1 6d51a9919' #ProvName='Microsoft RSA SChannel Cryptographic Provider' ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE #Subject: C=US, O=www.stopped-motion.com, OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM), CN=www.stopped-motion.com #Issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications #Validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56 PM SecureBindings = 66.114.146.8:443: When I simulate the handshake in SSLDiag, I get this... System time: Fri, 11 Feb 2005 02:04:15 GMT Connecting to 66.114.146.8:443 Connected Handshake: 78 bytes sent Handshake: 1142 bytes received Handshake: 182 bytes sent Handshake: 43 bytes received Handshake succeeded Verifying server certificate, it might take a while... Server certificate name: www.stopped-motion.com Server certificate subject: C=US, O=www.stopped-motion.com, OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM), CN=www.stopped-motion.com Server certificate issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications Server certificate validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56 PM HTTPS request: GET / HTTP/1.0 User-Agent: SSLDiag Accept:*/* HTTPS: 72 bytes of encrypted data sent HTTPS: server disconnected Final handshake: 23 bytes sent successfully And everything looks like it worked well enough. So I'm a little on the frustrated side of things with this and I'm looking to see if anyone can provide insight as to what the problem is. If more information is required about the box, feel free to ask and I'll go get it. Thanks! Rory
- Next message: Joe: "Re: IIS6 Network Service Identity - when needed?"
- Previous message: David Wang [Msft]: "Re: IIS 6.0 Unattended install"
- In reply to: Rory Clark: "SSL blues"
- Next in thread: Rory Clark: "Re: SSL blues"
- Reply: Rory Clark: "Re: SSL blues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
