共用方式為

Case Study: SSL does not work in IIS 7.5 after server reboots

  • 發行項

 

The user reported that he failed to access the web site with HTTPS protocol with “Page cannot be displayed” error message.

At first we could not find any abnormal clues from the output of “certutil -veritystore” and “netsh http show sslcert” commands.

 

We opened the Site Bindings for the web site in IIS Manager. Then open Edit Site Binding for that https.

 

 

After we clicked OK button and did not modify any settings, the user could access the site with HTTPS.

 

In the next day the user reported this issue occurred again. We noticed that the issue always re-occurred after the server rebooted. In the event log a Schannel error appeared during reboot:

Log Name: System

Source: Schannel

Event ID: 36870

Level: Error

Description:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

 

 

The problem was solved by deleting the certificate and then importing it.

After the discussion with the user, we finally realized that the user incorrectly imported the certificate to CurrentUser store and then he used drag-and-drop method in MMC certificate snap-in to move it to LocalComputer store. Then the problem occurred.

This issue can be reproduced.

 

Conclusion:

 

1. Schannel event logging is very useful. Fortunately the error messages are logged by default.

How to enable Schannel event logging in IIS

https://support.microsoft.com/kb/260729

 

2. Do *NOT* use the drag-and-drop method in the MMC Certificate snap-in to move the certificate to the Local Computer store.

See “More Information” section in the following article:

https://support.microsoft.com/kb/817854

 

3. Other public blog article also mentions this issue, but it seems to have a different error code:

SSL stops working in IIS7

https://blogs.msdn.com/b/mike/archive/2009/02/06/ssl-stops-working-in-iis7.aspx

 

 Regards,

 

Xin Jin from APGC DSI Team

Comments

  • Anonymous
    October 30, 2013
    Thanks, this saved my bacon. Couldn't figure out what was happening to my IIS server.
  • Anonymous
    June 24, 2016
    Thanks, it helped me too. Still a problem in 2016.