2

I have been trying to install a UCC SSL certificate from Godaddy on our servers. I have been able to successfully create the CSR on the main server (IIS6) and had it approved by Godaddy. Then for testing purposes I added another domain to the certificate and exported it onto our test server. The test server is newer and has IIS7 but getting the certificate to install and work was a relatively painless process when following the instructions provided on the Godaddy site.

This is where I start to run into problems. My next step was to attempt to get HTTPS going on our main server with another one of our test sites. I followed the same process and added the new domain to the certificate and had it approved. Then I went back onto the server and followed the instructions provided by Godaddy for iis6 installation. The only problem is, it doesn't work.

If I try to surf to the site using HTTPS Firefox gives an unable to connect error (Fiddler says this is a 502 error).

I've tried netstat and I can see that localhost is listening on port 443.

I've checked the firewall and can see that an exception exists for this port.

I can telnet to the server on that port from my local machine.

I've tried using a specific IP and using * All Unassigned *.

I've tried using a different port (added an exception on the firewall for it and put the port in the url).

I've tried running this from the command line: cscript.exe adsutil.vbs set /w3svc//SecureBindings ":443:"

I've checked that the certificate has a private key.

I've gone looking for the logs but the ones I have found don't tell me anything about why the page is failing to load.

So far nothing has worked. It is beyond me why something that "just works" in iis7 seems so frustratingly difficult in iis6.

So I guess my question is, what else can I try and/or how do debug this?

Developer
  • 273
  • 1
  • 3
  • 11
  • Normally just works. Does https://ip.addr.es.s work on the local computer? (ignoring any "cert name invalid" errors) – TristanK Apr 19 '11 at 07:01

1 Answers1

1

Normally just works.

Does https to the IP address work from a browser on the local computer? (ignoring any "cert name invalid" errors). You could also try WFETCH from a client computer or the server (part of the IIS 6 Resource Kit tools - it's not susceptible to proxy hijacking and weirdo WinInet behaviour - like Telnet).

Also, keep in mind that a 502 can be a proxy error - you may need to add the site to the proxy exceptions list if it's an FQDN (both on the clients and the server itself), or the browser might be trying to go the long way around to something that might not exist yet.

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • Yeah, the IP address does work from local machine (ignoring the bad domain name error)... now. I'm not sure what I did yesterday to make it work because I did try that at one point and it wasn't working. Actually I was telneting to the IP address also. I just tried the domain name and it doesn't work. – Developer Apr 19 '11 at 23:49
  • Sounds like it's a name resolution problem. Ping the name. If the name resolves to the same IP as you're testing, name resolution is OK and you probably have a proxy problem, in which case disable ALL proxy settings in your browser and retest (simplest place to start). If it doesn't resolve to the same IP, you need to fix that first. – TristanK Apr 20 '11 at 01:54
  • Yeah I think you are right. When I ping the domain the IP that comes back is not the same as the actual server IP. This is not the case on the backup server (i.e. the IP's match and https works). Looking into this now. – Developer Apr 20 '11 at 02:49
  • It seems that a Load Balancer was setup a few weeks ago and it doesn't appear to be a forwarding traffic on port 443. I am attempting to get another rule added. Hopefully that will resolve the problem. – Developer Apr 21 '11 at 00:32