|
Home > Archive > IIS Server Security > April 2004 > IIS / SSL + Pages not Loading (HTTPS)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS / SSL + Pages not Loading (HTTPS)
|
|
| Team Macromedia 2004-04-18, 10:43 am |
| Hi (sorry for the X-Post),
In a bit of a hole here. I currently have a Load Balanced environment
(using an ancient LocalDirector 417) currenrly over 2 Web Servers. Each
Web Server has its own SSL Certificate installed for secure.mysite.com
from Verisign using standard Port 443. We are using a Checkpoint
Watchguard Firewall.
Currently Port 80 traffic is fine and if I browse to
http://secure.mysite.com it displays the screen I want to see but when I
try and resolve https://secure.mysite.com I immediately get a cannot
be loaded error and if I try and refresh that screen it just hangs and
displays nothing.
Now, I am sure that the Certs are all installed correctly so I am trying
to rule them out (in any case would a bad cert stop HTTPS working?) We
have made changes to the Load Balancer recently for SSL Sticky Sessions
but I know that the LB is not the problem as when I bypass the LB the
error still happens, what it could be is the Firewall as we havent
totally ruled that out or tested it?
Anyone else seen issues like this before?
Windows 2000 Server
IIS 5.x
SSL (Verisign)
Port 443
Cisco LD-417
Checkpoint Watchguard Firewall/VPN
Thanks
Neil
| |
| Paul Lynch 2004-04-18, 10:43 am |
| On Sat, 17 Apr 2004 10:48:11 +0100, Team Macromedia
<nospam@nospam.com> wrote:
>Hi (sorry for the X-Post),
>
>In a bit of a hole here. I currently have a Load Balanced environment
>(using an ancient LocalDirector 417) currenrly over 2 Web Servers. Each
>Web Server has its own SSL Certificate installed for secure.mysite.com
>from Verisign using standard Port 443. We are using a Checkpoint
>Watchguard Firewall.
>
>Currently Port 80 traffic is fine and if I browse to
>http://secure.mysite.com it displays the screen I want to see but when I
> try and resolve https://secure.mysite.com I immediately get a cannot
>be loaded error and if I try and refresh that screen it just hangs and
>displays nothing.
>
>Now, I am sure that the Certs are all installed correctly so I am trying
>to rule them out (in any case would a bad cert stop HTTPS working?) We
>have made changes to the Load Balancer recently for SSL Sticky Sessions
>but I know that the LB is not the problem as when I bypass the LB the
>error still happens, what it could be is the Firewall as we havent
>totally ruled that out or tested it?
>
>Anyone else seen issues like this before?
>
>Windows 2000 Server
>IIS 5.x
>SSL (Verisign)
>Port 443
>Cisco LD-417
>Checkpoint Watchguard Firewall/VPN
>
>Thanks
>
>Neil
Neil,
I've implemented a very similar setup myself using a hardware
load-balancer and mutliple identical web servers all serving up SSL
content without problems.
I'd certainly suggest checking your firewall logs for any clues and
you might also want to take a look at this KB article :
HOW TO: Determine If SSL Connectivity Is Not Working on the Web Server
or on an Intermediate Device
http://support.microsoft.com/?id=290051
Regards,
Paul Lynch
MCSE
| |
| Team Macromedia 2004-04-18, 10:43 am |
| I just read : http://support.microsoft.com/defaul...kb;EN-US;260096
and funnily enough this did happen, I did install by accident an SSL
cert on the Default Web Site and removed it and installed on the correct
Host Header (I am also reading about HTTP 1.1 Host Headers being an
issue - but that could be something else), I wonder if the fact that an
SSL was installed on the Default Web Site that the process of removing
it again needs to be performed?
TIA
Neil
Paul Lynch wrote:
> On Sat, 17 Apr 2004 10:48:11 +0100, Team Macromedia
> <nospam@nospam.com> wrote:
>
>
>
>
>
>
> Neil,
>
> I've implemented a very similar setup myself using a hardware
> load-balancer and mutliple identical web servers all serving up SSL
> content without problems.
>
> I'd certainly suggest checking your firewall logs for any clues and
> you might also want to take a look at this KB article :
>
> HOW TO: Determine If SSL Connectivity Is Not Working on the Web Server
> or on an Intermediate Device
> http://support.microsoft.com/?id=290051
>
>
> Regards,
>
> Paul Lynch
> MCSE
| |
| Team Macromedia 2004-04-18, 10:43 am |
| Hey Paul,
Yes I have a group of these articles open at present. And these are the
problems I am having. One thing which does confuse me is the part
which explains to use https://www.commonnameonthecertificate.com. The
certs on the 2 web servers have registered common names as
secure.test.reedexpo.com so to test do I test with
https://www.secure.test.reedexpo.com.com or simply
https://secure.test.reedexpo.com
Is there a way to get the common name from the machine? I assume that I
can just visit Verisign and get that info.
Do you think that the fact they have the same common name is a problem?
(I dont think it does - but you never know! ) All the other data such
as the Country and State are the same except department as it would not
allow us to create or request more than one certificate with the same
information so we had to modify the department to be slightly different
based on the machine request.
its a doozy alright...
N
Paul Lynch wrote:
> On Sat, 17 Apr 2004 10:48:11 +0100, Team Macromedia
> <nospam@nospam.com> wrote:
>
>
>
>
>
>
> Neil,
>
> I've implemented a very similar setup myself using a hardware
> load-balancer and mutliple identical web servers all serving up SSL
> content without problems.
>
> I'd certainly suggest checking your firewall logs for any clues and
> you might also want to take a look at this KB article :
>
> HOW TO: Determine If SSL Connectivity Is Not Working on the Web Server
> or on an Intermediate Device
> http://support.microsoft.com/?id=290051
>
>
> Regards,
>
> Paul Lynch
> MCSE
Yes,
| |
| Team Macromedia 2004-04-18, 10:43 am |
| In an effort to debug I have shutdown our second web server and our
initial web server is having the problems standalone. I did remove the
cert but when I go to enter re-assign it, when the Select a Certificate
dialog appears there are 2 in the box to
select....erm....wierd....anyone know why or how to clear this box out
so it only has one?
N
Team Macromedia wrote:
> Hey Paul,
>
> Yes I have a group of these articles open at present. And these are the
> problems I am having. One thing which does confuse me is the part
> which explains to use https://www.commonnameonthecertificate.com. The
> certs on the 2 web servers have registered common names as
> secure.test.reedexpo.com so to test do I test with
>
> https://www.secure.test.reedexpo.com.com or simply
> https://secure.test.reedexpo.com
>
> Is there a way to get the common name from the machine? I assume that I
> can just visit Verisign and get that info.
>
> Do you think that the fact they have the same common name is a problem?
> (I dont think it does - but you never know! ) All the other data such
> as the Country and State are the same except department as it would not
> allow us to create or request more than one certificate with the same
> information so we had to modify the department to be slightly different
> based on the machine request.
>
> its a doozy alright...
>
> N
>
>
>
>
>
>
> Paul Lynch wrote:
>
>
> Yes,
| |
| Paul Lynch 2004-04-18, 10:43 am |
| On Sat, 17 Apr 2004 12:24:07 +0100, Team Macromedia
<nospam@nospam.com> wrote:
>I just read : http://support.microsoft.com/defaul...kb;EN-US;260096
>
>and funnily enough this did happen, I did install by accident an SSL
>cert on the Default Web Site and removed it and installed on the correct
>Host Header (I am also reading about HTTP 1.1 Host Headers being an
>issue - but that could be something else), I wonder if the fact that an
>SSL was installed on the Default Web Site that the process of removing
>it again needs to be performed?
>
>TIA
>
>Neil
Neil,
Host headers will not work with SSL. For best results the SSL enabled
web site on your server should have its own dedicated IP address.
Refer to this KB article if you haven't found it already :
HTTP 1.1 Host Headers Are Not Supported When You Use SSL
http://support.microsoft.com/?id=187504
Regards,
Paul Lynch
MCSE
| |
| Paul Lynch 2004-04-18, 10:43 am |
| On Sat, 17 Apr 2004 12:25:30 +0100, Team Macromedia
<nospam@nospam.com> wrote:
>Hey Paul,
>
>Yes I have a group of these articles open at present. And these are the
> problems I am having. One thing which does confuse me is the part
>which explains to use https://www.commonnameonthecertificate.com. The
>certs on the 2 web servers have registered common names as
>secure.test.reedexpo.com so to test do I test with
>
>https://www.secure.test.reedexpo.com.com or simply
>https://secure.test.reedexpo.com
The browser request has to match the registered common name exactly.
To have more than one identity per web site requires the use of host
headers and this will not work with SSL.
By way of example, browse to this URL :
https://online.lloydstsb.co.uk
and now try browsing to to this one :
https://www.online.lloydstsb.co.uk
>Is there a way to get the common name from the machine? I assume that I
>can just visit Verisign and get that info.
The common name is the FQDN you entered when you made the request for
the certificate - usually something like secure.domain.com - in the
above example, check the certificate properties on the site, they
match exactly the URL in the browser request. If you click on the
Details tab and click on Subject you'll see that the CN= field also
matches the URL exactly.
>Do you think that the fact they have the same common name is a problem?
>(I dont think it does - but you never know! ) All the other data such
>as the Country and State are the same except department as it would not
>allow us to create or request more than one certificate with the same
>information so we had to modify the department to be slightly different
>based on the machine request.
No, if I have understood you correctly (and I think I have) then you
should have the same certificate on each server, so they would, by
definition, have the same information. If the site is load balanced
across two servers then the correct procedure is to install the
certificate on one server and then export that certificate to the
other servers in the cluster.
Refer to this KB article for an explanation :
HOW TO: Load Balance a Web Server Farm Using One SSL Certificate in
IIS
http://support.microsoft.com/?id=313299
HTH !
Regards,
Paul Lynch
MCSE
| |
| Team Macromedia 2004-04-18, 10:43 am |
| This could be the reason!!!!! though how will the Web Server know what
site to serve up if I am not using Host Headers?
Paul Lynch wrote:
> On Sat, 17 Apr 2004 12:24:07 +0100, Team Macromedia
> <nospam@nospam.com> wrote:
>
>
>
>
> Neil,
>
> Host headers will not work with SSL. For best results the SSL enabled
> web site on your server should have its own dedicated IP address.
>
> Refer to this KB article if you haven't found it already :
>
> HTTP 1.1 Host Headers Are Not Supported When You Use SSL
> http://support.microsoft.com/?id=187504
>
>
> Regards,
>
> Paul Lynch
> MCSE
| |
| Team Macromedia 2004-04-18, 10:43 am |
| This does help - it helps a lot! I am a tad annoyed with Verisign now
as I spend quite a long time on the phone with them explaining the
situation and they argued that we had to buy one cert for each server
(then of course they would), time to get on their case methinks.
Thanks Paul for taking time out at the weekend! I will look into these
on Monday.
Thanks, I will update the NNTP as soon as I get some results.
Paul Lynch wrote:
> On Sat, 17 Apr 2004 12:25:30 +0100, Team Macromedia
> <nospam@nospam.com> wrote:
>
>
>
>
> The browser request has to match the registered common name exactly.
> To have more than one identity per web site requires the use of host
> headers and this will not work with SSL.
>
> By way of example, browse to this URL :
> https://online.lloydstsb.co.uk
>
> and now try browsing to to this one :
> https://www.online.lloydstsb.co.uk
>
>
>
>
> The common name is the FQDN you entered when you made the request for
> the certificate - usually something like secure.domain.com - in the
> above example, check the certificate properties on the site, they
> match exactly the URL in the browser request. If you click on the
> Details tab and click on Subject you'll see that the CN= field also
> matches the URL exactly.
>
>
>
>
> No, if I have understood you correctly (and I think I have) then you
> should have the same certificate on each server, so they would, by
> definition, have the same information. If the site is load balanced
> across two servers then the correct procedure is to install the
> certificate on one server and then export that certificate to the
> other servers in the cluster.
>
> Refer to this KB article for an explanation :
>
> HOW TO: Load Balance a Web Server Farm Using One SSL Certificate in
> IIS
> http://support.microsoft.com/?id=313299
>
> HTH !
>
>
> Regards,
>
> Paul Lynch
> MCSE
| |
| Team Macromedia 2004-04-18, 10:43 am |
| I did find this technote but I have to say that SSL worked on another
server using Host Headers? or is it the case that the headers themselves
are not encrypted but the SSL traffic will still work.
N
Paul Lynch wrote:
> On Sat, 17 Apr 2004 12:24:07 +0100, Team Macromedia
> <nospam@nospam.com> wrote:
>
>
>
>
> Neil,
>
> Host headers will not work with SSL. For best results the SSL enabled
> web site on your server should have its own dedicated IP address.
>
> Refer to this KB article if you haven't found it already :
>
> HTTP 1.1 Host Headers Are Not Supported When You Use SSL
> http://support.microsoft.com/?id=187504
>
>
> Regards,
>
> Paul Lynch
> MCSE
| |
| Paul Lynch 2004-04-18, 10:43 am |
| On Sat, 17 Apr 2004 14:56:55 +0100, Team Macromedia
<nospam@nospam.com> wrote:
>I did find this technote but I have to say that SSL worked on another
>server using Host Headers? or is it the case that the headers themselves
>are not encrypted but the SSL traffic will still work.
>
>N
No it didn't Neil. SSL will not work with host headers.
Regards,
Paul Lynch
MCSE
| |
| Team Macromedia 2004-04-18, 10:43 am |
| Hmmmmm, OK, thats all fine but for a test site I followed this routine:
1. Added new site : secure.test.reedexpo.com to IIS
2. Added secure.test.reedexpo.com as the host header (so it could be
distinguished from other sites) as the load balancer routes to one IP
per web server.
3. Imported SSL Certificate
4. Adder Port 443 to IIS and Firewall
Now, after this we were **DEFO** getting pages displayed on
https://secure.test.reedexpo.com; this I can guatantee as we have had 2
weeks of UAT on a server using it; so either the Host Header was working
or there was something afoot elsewhere which was allowing it to happen
I dunno...but from what you have said so far today is that the config
was flawed anyway.
One thing I dont quite get is how will the webserver ever know to select
the secure SSL site from the 90+ other sites we have without the use of
Host Headers - it doesnt seem possible.....though if you know different
please let me know ;-)?
N
Paul Lynch wrote:
> On Sat, 17 Apr 2004 14:56:55 +0100, Team Macromedia
> <nospam@nospam.com> wrote:
>
>
>
>
> No it didn't Neil. SSL will not work with host headers.
>
>
> Regards,
>
> Paul Lynch
> MCSE
| |
| Team Macromedia 2004-04-18, 10:43 am |
| Hey
I can see how it would work for 1 IP as we can configure the Load
Balancer to direct 443 traffic to that IP (but how will it work Load
Balanced? do we bing multiple servers to the same IP- which doesnt seem
to make sense..) but what if you have more than 1 SSL site on multiple
web servers without using Host Headers?
N
Paul Lynch wrote:
> On Sat, 17 Apr 2004 14:56:55 +0100, Team Macromedia
> <nospam@nospam.com> wrote:
>
>
>
>
> No it didn't Neil. SSL will not work with host headers.
>
>
> Regards,
>
> Paul Lynch
> MCSE
| |
| Paul Lynch 2004-04-18, 10:43 am |
| On Sat, 17 Apr 2004 16:32:00 +0100, Team Macromedia
<nospam@nospam.com> wrote:
>Hey
>
>I can see how it would work for 1 IP as we can configure the Load
>Balancer to direct 443 traffic to that IP (but how will it work Load
>Balanced? do we bing multiple servers to the same IP- which doesnt seem
>to make sense..) but what if you have more than 1 SSL site on multiple
>web servers without using Host Headers?
>
>N
You can have multiple SSL enabled web sites on a single server. They
just need a unique IP address. SSL and host headers do not work,
really :
HTTP 1.1 Host Headers Are Not Supported When You Use SSL
http://support.microsoft.com/?id=187504
The way we load balanced our web servers was by using a hardware based
VIP which re-directed the incoming requests to the real IP address of
the web servers (I'm a bit sketchy on the details of this as I'm not a
network admin) but there are alternatives such a Windows Network Load
Balancing which assigns a virtual IP address to all members of a web
farm or cluster and re-drirects inbound requests to the member
servers.
I don't know how you would do this with your cisco kit though. You're
going to have to do some reading I think ;-)
Regards,
Paul Lynch
MCSE
| |
| WenJun Zhang[msft] 2004-04-19, 6:34 am |
| Yes, only IP and Ports can work with SSL. If there is still any issue
on SSL deployment, download SSLDiag to capture two logs to take a
look. Double-click the data of a SSL enabled site e.g: [W3SVC/1] ,
SSLDiag will open 2nd window to test its HTTPS communication.
SSL Diagnostics Version 1.0 (x86)
http://www.microsoft.com/downloads/...D=cabea1d0-5a10
-41bc-83d4-06c814265282&displaylang=en
Best regards,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
| |
| Team Macromedia 2004-04-19, 2:35 pm |
| OK,
I got it working! The problem was down to a documented problem where a
cert was installed on the default website and I tried to set it up on
another server...
BUT!!! can you riddle me this.....I have added the new site to the two
webserver WITH host header and bound it to the same IP as all the rest
of the standard IP / Port 80 sites and its working AOK as expected. I
have installed the cert and its all sweet....... The site is called
secure.test.reexo.com and (host header secure.test.rexo.com)it can be
successfully browsed to by the following
http://secure.test.rexo.com
https://secure.test.rexo.com
Granted that now ALL sites can be visited via HTTP and that the Padlock
is not showing in the browser but SSL is working and with host headers .
NOTE: Is it a bug that although the SSL padlock does not appear in the
browser status bar that you can still double-click where it would be and
view the certificate!?
As a test - If I browse to a normal non-ssl site such as
http://www.test.samplesite.com and then by
https://www.test.samplesite.com that BOTH can be resolved albeit as
noted above with the second will display a cert warning as it does mot
match the site you have SSL'ed.
Does this seem OK? is this bad practice - it certainly does seem to be
behaving as expected and all sweet.
Thanks
Neil
WenJun Zhang[msft] wrote:
> Yes, only IP and Ports can work with SSL. If there is still any issue
> on SSL deployment, download SSLDiag to capture two logs to take a
> look. Double-click the data of a SSL enabled site e.g: [W3SVC/1] ,
> SSLDiag will open 2nd window to test its HTTPS communication.
>
> SSL Diagnostics Version 1.0 (x86)
> http://www.microsoft.com/downloads/...D=cabea1d0-5a10
> -41bc-83d4-06c814265282&displaylang=en
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Support
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Get Secure! - www.microsoft.com/security
>
| |
| WenJun Zhang[msft] 2004-04-20, 8:37 am |
| "Granted that now ALL sites can be visited via HTTP and that the
Padlock is not showing in the browser but SSL is working and with
host headers ."
1) Please test on several different clients to see if the Padlock is
always not showing.
2) In the site properties->Web Site tab, click Advanced and you will
see there is no place to setup host header for SSL. In other words,
you cannot have another site on the same IP's default SSL 443 port.
Otherwise a port conflict is caused.
"As a test - If I browse to a normal non-ssl site such as
http://www.test.samplesite.com and then by
https://www.test.samplesite.com that BOTH can be resolved albeit as
noted above with the second will display a cert warning as it does
mot
match the site you have SSL'ed."
Please if the certificate's Common Name CN is
"www.test.samplesite.com": in the cert's Details tab->Subject item.
Also, if you access the site through localhost, IP or machinename,
the warning dialog will always popup.
Best regards,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
| |
| Team Macromedia 2004-04-20, 1:34 pm |
| Hi,
What I mean is this...on the web server if I browse to
https://www.myothersite.com then a warning dialog pops up as expected
and the padlock does not appear - BUT you can still click on the space
where the padlock should be and you will still get the
secure.mysecuresite.com cert (which is the cert we are using for
secure.mysecuresite.com ).
My question is that a) you cna click on a space where a padlock is not
appearing and you still get a cert detail dialog and b) is it normal
that all sites are now available via HTTPS (albeit not certified) when
you add a new SSL site even though we have not added Port 443 to the
other normal port 80 sites?
Thanks
WenJun Zhang[msft] wrote:
> "Granted that now ALL sites can be visited via HTTP and that the
> Padlock is not showing in the browser but SSL is working and with
> host headers ."
>
> 1) Please test on several different clients to see if the Padlock is
> always not showing.
>
> 2) In the site properties->Web Site tab, click Advanced and you will
> see there is no place to setup host header for SSL. In other words,
> you cannot have another site on the same IP's default SSL 443 port.
> Otherwise a port conflict is caused.
>
> "As a test - If I browse to a normal non-ssl site such as
> http://www.test.samplesite.com and then by
> https://www.test.samplesite.com that BOTH can be resolved albeit as
> noted above with the second will display a cert warning as it does
> mot
> match the site you have SSL'ed."
>
> Please if the certificate's Common Name CN is
> "www.test.samplesite.com": in the cert's Details tab->Subject item.
> Also, if you access the site through localhost, IP or machinename,
> the warning dialog will always popup.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Support
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Get Secure! - www.microsoft.com/security
>
| |
| WenJun Zhang[msft] 2004-04-21, 5:35 am |
| a) you cna click on a space where a padlock is not appearing and you
still get a cert detail dialog and
b) is it normal that all sites are now available via HTTPS (albeit
not certified)
Both of them sounds not so reasonable. Could you please show us with
the scan result of SSLDiag?
v-wzhang@online.microsoft.com (remove online.) is my corp mailbox,
you can send mail to me directly if you have security concern on
publishing the data in public newsgroup.
Furthermore, don't forget to double-click the data fields(i.e
[W3SVC/1]), SSLDiag will open new window to test HTTPS communication.
SSL Diagnostics Version 1.0 (x86)
http://www.microsoft.com/downloads/...D=cabea1d0-5a10
-41bc-83d4-06c814265282&displaylang=en
Best regards,
WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
| |
| Team Macromedia 2004-04-21, 2:36 pm |
| I will send this data offlist. Everything seems to be working fine -
the padlock still appearing for non-ssl sites is not so good - this
looks like a bug in IE.
WenJun Zhang[msft] wrote:
> a) you cna click on a space where a padlock is not appearing and you
> still get a cert detail dialog and
> b) is it normal that all sites are now available via HTTPS (albeit
> not certified)
>
> Both of them sounds not so reasonable. Could you please show us with
> the scan result of SSLDiag?
> v-wzhang@online.microsoft.com (remove online.) is my corp mailbox,
> you can send mail to me directly if you have security concern on
> publishing the data in public newsgroup.
>
> Furthermore, don't forget to double-click the data fields(i.e
> [W3SVC/1]), SSLDiag will open new window to test HTTPS communication.
>
> SSL Diagnostics Version 1.0 (x86)
> http://www.microsoft.com/downloads/...D=cabea1d0-5a10
> -41bc-83d4-06c814265282&displaylang=en
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Support
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Get Secure! - www.microsoft.com/security
>
|
|
|
|
|