Renewal problem: Site now will not load


#1

Hello folks:

Renewing https://fundamentalobjects.com today.

I am on Windows 2008 R2 server.

I followed all steps used when creating the original cert.

  • Cert created ok.
  • .pfx created ok.
  • imported .pfx into Server Certificates ok.
  • the newly updated expiration date range shows on the cert.
  • restarted, renewed, refreshed, recycled everything in IIS multiple times.
  • rebooted twice.

When I try to open the page I get:

Secure Connection Failed
The connection to the server was reset while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.


I even see this directly within IIS when browsing the site,
(never leaving the box).

Any thoughts on what I’m forgetting?

Thank you!

Newly updated dates:

x


#2

Hi @LEForTheWin

mhm. I see the SendFailure - Error:

SendFailure - The underlying connection was closed: An unexpected error occurred on a send.

Your http connections are ok, both (www and non-www) redirects to https.

So it looks that your configuration is wrong. Can you create a screenshot of one of your https bindings?

Is it possible that you have deactivated all your TLS-protocols?

Perhaps use IISCrypto ( https://www.nartac.com/Products/IISCrypto ) to check if TLS.1.0, 1.1 and 1.2 are active.

Or you have selected completely wrong cipher suites.


#3

Which version of IIS?


#4

Thank you for the response @JuergenAuer!

Below are the bindings.

These two sites are on the same cert (same IP) as they originally were.

Short of any (stupid) Microsoft-auto server updates,
the server was unchanged by me since the initial cert was created 90 days ago.

I literally changed nothing in the LE64 script run the first time,
other than to add -name funobj as a user-friendly name during .pfx creation.

(I retried the whole thing with -name removed as well).


#5

I looking at IIS Crypto now.


#6

Thanks. But what’s the content of one binding?

With Windows 2008, you can have only one certificate.

And host names are ignored, because Windows 2008 doesn’t support SNI.

You need one 443 binding with one certificate (with 4 domain names).

Perhaps the certificates are removed from the binding -> no certificate, no https.


Any rethinking the drop to 3 months for cert life?
#7

Thanks.

How did it work the prior 3 months?


#8

Did you add the cert form within IIS?
Which version of IIS are you running?


#9

Hello @rg305

I am using IIS 7.5.7600.16385

Yes, I IMPORTED the .pfx from within IIS -> Sever Certificates.
It shows there OK.

Note – if you just click the .pfx in Windows Explorer to load it (as I have seen recommended) that will pop through to a 'successfully added" message; BUT, the cert does not really load into Server Certificates. You have to right click in there and choose Import… to get it to actually work.


#10

IIS 7.5 doesn’t support SNI.
If both HTTPS sites go to the same folder, try deleting one of them.
Also try unbinding the cert and apply that change, then bind it back.
IIS is notorious for not playing as expected.


#11

Just notes:

I get that IIS sucks.
Part of my effort here is to get Let’s Encrypt working on Windows as part of a guide to help people stage off of Windows servers onto Linux (#Debian).

I guess I still don’t see why it worked the first 3 months and broke only when reapplying the cert – but I will try to remove and reapply the bindings.

Notes:

  • I only have/desire one cert. Both domains are on the one cert; to work on the one IP.

  • Each domain points to a separate home folder.

  • Nothing is different from when this was set up 3 months ago other that Normal Windows updates and renewing the LE certificate.

Thanks


#12

If you only click, then the certificate is loaded in the “CurrentUser” Personal certificates. Not in the Machine\Webhosting.


#13

Then you need to bind it only once.
[at least until you get to IIS8 or greater]