Case Study: SSL does not work in IIS 7.5 after server reboots
The user reported that he failed to access the web site with HTTPS protocol with “Page cannot be displayed” error message.
At first we could not find any abnormal clues from the output of “certutil -veritystore” and “netsh http show sslcert” commands.
We opened the Site Bindings for the web site in IIS Manager. Then open Edit Site Binding for that https.
After we clicked OK button and did not modify any settings, the user could access the site with HTTPS.
In the next day the user reported this issue occurred again. We noticed that the issue always re-occurred after the server rebooted. In the event log a Schannel error appeared during reboot:
Log Name: System Source: Schannel Event ID: 36870 Level: Error Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.
|
The problem was solved by deleting the certificate and then importing it.
After the discussion with the user, we finally realized that the user incorrectly imported the certificate to CurrentUser store and then he used drag-and-drop method in MMC certificate snap-in to move it to LocalComputer store. Then the problem occurred.
This issue can be reproduced.
Conclusion:
1. Schannel event logging is very useful. Fortunately the error messages are logged by default.
How to enable Schannel event logging in IIS
https://support.microsoft.com/kb/260729
2. Do *NOT* use the drag-and-drop method in the MMC Certificate snap-in to move the certificate to the Local Computer store.
See “More Information” section in the following article:
https://support.microsoft.com/kb/817854
3. Other public blog article also mentions this issue, but it seems to have a different error code:
SSL stops working in IIS7
https://blogs.msdn.com/b/mike/archive/2009/02/06/ssl-stops-working-in-iis7.aspx
Regards,
Xin Jin from APGC DSI Team