|
Home > Archive > IIS Server Security > February 2007 > SSL not working
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
|
| David Wang 2007-01-31, 7:19 pm |
| Use SSLDiag to diagnose your configuration.
http://www.microsoft.com/downloads/...&DisplayLang=en
http://servername/exchange fails probably because of your HTTP->HTTPS
redirection (and https://servername/exchange is the one configuration
that fails). Because if HTTP is working prior to enabling "requiring
SSL" will only cause a 403.4 error to be returned, not stop
responding.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Jan 30, 11:23 pm, "Tommy Forsman" <tofor...@hotmail.com> wrote:
> Hi
>
> Have tried to enable SSL on a SBS2003 but when I require SSL the website
> stops to respond.
>
> Have installed CA services
> Have created Certificate request
> Have "downloaded" the pending request
> Have appended the certificate to the default website
>
> But when I put a checkmark in Require Secure Channel bothhttps://servername/exchangeandhttp://servername/exchangestops responding
>
> Have used thehttp://www.msechange.org/tutorials/SSL_Enabling_OWA_2003.html
> as help
>
> What could be wrong?
> Tomppa
| |
| Tommy Forsman 2007-02-01, 7:22 am |
| I dont get any 403 error just "Internet Explorer cannot display the webpage"
SSLdiag only gives one error about certificatechain
Tomppa
"David Wang" <w3.4you@gmail.com> wrote in message
news:1170289221.032300.67910@a75g2000cwd.googlegroups.com...
> Use SSLDiag to diagnose your configuration.
>
> http://www.microsoft.com/downloads/...&DisplayLang=en
>
> http://servername/exchange fails probably because of your HTTP->HTTPS
> redirection (and https://servername/exchange is the one configuration
> that fails). Because if HTTP is working prior to enabling "requiring
> SSL" will only cause a 403.4 error to be returned, not stop
> responding.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Jan 30, 11:23 pm, "Tommy Forsman" <tofor...@hotmail.com> wrote:
>
>
| |
| David Wang 2007-02-01, 7:22 pm |
| "Internet Explorer cannot display the webpage" is not the same as
"stops responding". To see the real error, you need to disable "Show
Friendly HTTP Errors" option in Internet Explorer. Please report the
real error.
SSLDiag must run clean.
Please give the real errors and full details of tool output so that
other people can attempt to help you.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Feb 1, 2:29 am, "Tommy Forsman" <tofor...@hotmail.com> wrote:
> I dont get any 403 error just "Internet Explorer cannot display the webpage"
>
> SSLdiag only gives one error about certificatechain
>
> Tomppa
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:1170289221.032300.67910@a75g2000cwd.googlegroups.com...
>
>
>
>
>
>
>
>
>
>
>
>
>
> - Show quoted text -
| |
|
| Hi Tomppa,
I have to agree with David. SSLDiag is a pretty nice tool, and it's
saved me from many hair-pulling incidents. If it gives you an error,
you have to figure it out and fix it.
You indicated that it gave you an error about "certificatechain". I
suspect that you possibly may not have installed the CA's certificate(s)
into Windows?
Try double-clicking on the server cert that you got, then click on the
"Certification Path" tab. If you see any "red X", that means that the
server cert can't be validated to the root CA's cert.
Jim
David Wang wrote:
> "Internet Explorer cannot display the webpage" is not the same as
> "stops responding". To see the real error, you need to disable "Show
> Friendly HTTP Errors" option in Internet Explorer. Please report the
> real error.
>
> SSLDiag must run clean.
>
> Please give the real errors and full details of tool output so that
> other people can attempt to help you.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
> On Feb 1, 2:29 am, "Tommy Forsman" <tofor...@hotmail.com> wrote:
>
>
| |
| Tommy Forsman 2007-02-02, 7:25 am |
| This is what SSLdiag says:
#WARNING:CertVerifyCertificateChainPolic
y returned
error -2146762480(0x800b0110)
#WARNING:Error 0x800b0110 : The server certificate is not valid for the
requested usage
How to fix: Install or assign the correct type of certificate. In IIS
Manager, right-click the Web site, and then click Properties. On the
Directory Security tab, click Server Certificate. In the wizard, install or
assign a server certificate.
I disabled "Show Friendly HTTP Errors" but I still get "Internet Explorer
cannot display the webpage"
Thanks for helping me.
Tomppa
"David Wang" <w3.4you@gmail.com> wrote in message
news:1170369165.400489.241350@l53g2000cwa.googlegroups.com...
> "Internet Explorer cannot display the webpage" is not the same as
> "stops responding". To see the real error, you need to disable "Show
> Friendly HTTP Errors" option in Internet Explorer. Please report the
> real error.
>
> SSLDiag must run clean.
>
> Please give the real errors and full details of tool output so that
> other people can attempt to help you.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
> On Feb 1, 2:29 am, "Tommy Forsman" <tofor...@hotmail.com> wrote:
>
>
| |
| Tommy Forsman 2007-02-02, 7:25 am |
| See my post to David for the errors
Certification path says that certicate is ok
Tomppa
"ohaya" <ohaya@cox.net> wrote in message
news:OEy5JVoRHHA.1000@TK2MSFTNGP05.phx.gbl...[vbcol=seagreen]
> Hi Tomppa,
>
> I have to agree with David. SSLDiag is a pretty nice tool, and it's saved
> me from many hair-pulling incidents. If it gives you an error, you have
> to figure it out and fix it.
>
> You indicated that it gave you an error about "certificatechain". I
> suspect that you possibly may not have installed the CA's certificate(s)
> into Windows?
>
> Try double-clicking on the server cert that you got, then click on the
> "Certification Path" tab. If you see any "red X", that means that the
> server cert can't be validated to the root CA's cert.
>
> Jim
>
>
>
> David Wang wrote:
| |
| David Wang 2007-02-02, 7:19 pm |
| What type of certificate did you assign for SSL, and did you import
its private key into the LocalSystem's trusted store. You may want to
use a tool like SelfSSL from the IIS Resource Toolkit to set things up
automatically with a single command.
http://www.microsoft.com/downloads/...&DisplayLang=en
http://www.microsoft.com/windowsser...ls/default.mspx
Now, until you fix the error identified by SSLDiag:
1. https://servername/exchange -- will keep failing with "Internet
Explorer cannot display the webpage" since SSL connection failed to
establish because the Server's Certificate is not valid for server use
2. http://servername/exchange -- likely setup to auto-redirect from
HTTP->HTTPS, at which point it will also fail in the same way as above
after the redirection
3. *IF* http://servername/exchange is not set up to auto-redirect,
then you would have gotten a 403.4 error response when you configured
"SSL Required", which you would see if "Show Friendly HTTP Errors" is
disabled in Internet Explorer. Since you did not see this, you have
probably configured auto-redirection.
In other words, just fix your server certificate. Just because it's
"ok" doesn't mean it is suitable. It's like at Immigration at US
Borders - when Border Patrol asks you for a valid Passport, you can't
just give them your Driver's License, even though both are valid.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Feb 2, 3:39 am, "Tommy Forsman" <tofor...@hotmail.com> wrote:
> This is what SSLdiag says:
>
> #WARNING:CertVerifyCertificateChainPolic
y returned
> error -2146762480(0x800b0110)
>
> #WARNING:Error 0x800b0110 : The server certificate is not valid for the
> requested usage
>
> How to fix: Install or assign the correct type of certificate. In IIS
> Manager, right-click the Web site, and then click Properties. On the
> Directory Security tab, click Server Certificate. In the wizard, install or
> assign a server certificate.
>
> I disabled "Show Friendly HTTP Errors" but I still get "Internet Explorer
> cannot display the webpage"
>
> Thanks for helping me.
> Tomppa
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:1170369165.400489.241350@l53g2000cwa.googlegroups.com...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> - Show quoted text -
| |
| Tomppa 2007-02-03, 1:17 pm |
| Hi
I have followed these steps:
http://www.msechange.org/tutorials/...g_OWA_2003.html
Tomppa
"David Wang" <w3.4you@gmail.com> wrote in message
news:1170456055.615099.279510@h3g2000cwc.googlegroups.com...
> What type of certificate did you assign for SSL, and did you import
> its private key into the LocalSystem's trusted store. You may want to
> use a tool like SelfSSL from the IIS Resource Toolkit to set things up
> automatically with a single command.
> http://www.microsoft.com/downloads/...&DisplayLang=en
>
> http://www.microsoft.com/windowsser...ls/default.mspx
>
> Now, until you fix the error identified by SSLDiag:
>
> 1. https://servername/exchange -- will keep failing with "Internet
> Explorer cannot display the webpage" since SSL connection failed to
> establish because the Server's Certificate is not valid for server use
>
> 2. http://servername/exchange -- likely setup to auto-redirect from
> HTTP->HTTPS, at which point it will also fail in the same way as above
> after the redirection
>
> 3. *IF* http://servername/exchange is not set up to auto-redirect,
> then you would have gotten a 403.4 error response when you configured
> "SSL Required", which you would see if "Show Friendly HTTP Errors" is
> disabled in Internet Explorer. Since you did not see this, you have
> probably configured auto-redirection.
>
> In other words, just fix your server certificate. Just because it's
> "ok" doesn't mean it is suitable. It's like at Immigration at US
> Borders - when Border Patrol asks you for a valid Passport, you can't
> just give them your Driver's License, even though both are valid.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Feb 2, 3:39 am, "Tommy Forsman" <tofor...@hotmail.com> wrote:
>
>
|
|
|
|
|