This is in our development environment routing server, single web server, no reverse proxy. The certificate (self-signed by the ARR server) expired. I deleted the old certificate and generated a new one. I have installed it on both the ARR server and the IIS webserver through IIS Manager / Server Certificates. However, when I try using HTTPS I get a 502.3 error with an error code of 2147954575 from the ARR module. I don't find any errors on the web server. Failed request tracing is enabled for both servers. Also tracing the TLS Frames:
Frame: Number = 1456, Captured Frame Length = 250, MediaType = NetEvent+ NetEvent: + MicrosoftWindowsNDISPacketCapture: Packet Fragment (149 (0x95) bytes)+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0C-29-68-01-37],SourceAddress:[00-0C-29-B8-A8-CB]+ Ipv4: Src = 192.168.12.33, Dest = 192.168.12.35, Next Protocol = TCP, Packet ID = 13558, Total IP Length = 135+ Tcp: [Bad CheckSum]Flags=...AP..., SrcPort=57665, DstPort=HTTPS(443), PayloadLen=95, Seq=2766570175 - 2766570270, Ack=472739393, Win=256 (scale factor 0x8) = 65536 TLSSSLData: Transport Layer Security (TLS) Payload Data - TLS: TLS Rec Layer-1 HandShake: Client Hello. - TlsRecordLayer: TLS Rec Layer-1 HandShake: ContentType: HandShake: - Version: TLS 1.0 Major: 3 (0x3) Minor: 1 (0x1) Length: 90 (0x5A) - SSLHandshake: SSL HandShake ClientHello(0x01) HandShakeType: ClientHello(0x01) Length: 86 (0x56) - ClientHello: TLS 1.0+ Version: TLS 1.0+ RandomBytes: SessionIDLength: 0 (0x0) CipherSuitesLength: 24+ TLSCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x2F }+ TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x35 }+ TLSCipherSuites: TLS_RSA_WITH_RC4_128_SHA { 0x00,0x05 }+ TLSCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }+ TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA { 0xC0,0x13 }+ TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA { 0xC0,0x14 }+ TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA { 0xC0,0x09 }+ TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA { 0xC0,0x0A }+ TLSCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA { 0x00, 0x32 }+ TLSCipherSuites: TLS_DHE_DSS_WITH_AES_256_CBC_SHA { 0x00, 0x38 }+ TLSCipherSuites: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 }+ TLSCipherSuites: TLS_RSA_WITH_RC4_128_MD5 { 0x00,0x04 } CompressionMethodsLength: 1 (0x1) CompressionMethods: 0 (0x0) ExtensionsLength: 21 (0x15)+ ClientHelloExtension: Renegotiation Info(0xFF01)+ ClientHelloExtension: Elliptic Curves(0x000A)+ ClientHelloExtension: EC Point Formats(0x000B)
Frame: Number = 1470, Captured Frame Length = 1023, MediaType = NetEvent+ NetEvent: + MicrosoftWindowsNDISPacketCapture: Packet Fragment (922 (0x39A) bytes)+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0C-29-B8-A8-CB],SourceAddress:[00-0C-29-68-01-37]+ Ipv4: Src = 192.168.12.35, Dest = 192.168.12.33, Next Protocol = TCP, Packet ID = 14274, Total IP Length = 908+ Tcp: Flags=...AP..., SrcPort=HTTPS(443), DstPort=57665, PayloadLen=868, Seq=472739393 - 472740261, Ack=2766570270, Win=256 (scale factor 0x8) = 65536 TLSSSLData: Transport Layer Security (TLS) Payload Data - TLS: TLS Rec Layer-1 HandShake: Server Hello. Certificate. Server Hello Done. - TlsRecordLayer: TLS Rec Layer-1 HandShake: ContentType: HandShake: - Version: TLS 1.0 Major: 3 (0x3) Minor: 1 (0x1) Length: 863 (0x35F) - SSLHandshake: SSL HandShake Server Hello Done(0x0E) HandShakeType: ServerHello(0x02) Length: 77 (0x4D)+ ServerHello: 0x1 HandShakeType: Certificate(0x0B) Length: 774 (0x306)+ Cert: 0x1 HandShakeType: Server Hello Done(0x0E) Length: 0 (0x0)
Frame: Number = 1489, Captured Frame Length = 481, MediaType = NetEvent+ NetEvent: + MicrosoftWindowsNDISPacketCapture: Packet Fragment (380 (0x17C) bytes)+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0C-29-68-01-37],SourceAddress:[00-0C-29-B8-A8-CB]+ Ipv4: Src = 192.168.12.33, Dest = 192.168.12.35, Next Protocol = TCP, Packet ID = 13559, Total IP Length = 366+ Tcp: [Bad CheckSum]Flags=...AP..., SrcPort=57665, DstPort=HTTPS(443), PayloadLen=326, Seq=2766570270 - 2766570596, Ack=472740261, Win=253 (scale factor 0x8) = 64768 TLSSSLData: Transport Layer Security (TLS) Payload Data - TLS: TLS Rec Layer-1 HandShake: Client Key Exchange.; TLS Rec Layer-2 Cipher Change Spec; TLS Rec Layer-3 HandShake: Encrypted Handshake Message. - TlsRecordLayer: TLS Rec Layer-1 HandShake: ContentType: HandShake: - Version: TLS 1.0 Major: 3 (0x3) Minor: 1 (0x1) Length: 262 (0x106) - SSLHandshake: SSL HandShake Client Key Exchange(0x10) HandShakeType: Client Key Exchange(0x10) Length: 258 (0x102) ClientKeyExchange: Binary Large Object (258 Bytes) - TlsRecordLayer: TLS Rec Layer-2 Cipher Change Spec ContentType: Cipher Change Spec - Version: TLS 1.0 Major: 3 (0x3) Minor: 1 (0x1) Length: 1 (0x1)+ ChangeCipherSpec: 0x1 - TlsRecordLayer: TLS Rec Layer-3 HandShake: ContentType: HandShake: - Version: TLS 1.0 Major: 3 (0x3) Minor: 1 (0x1) Length: 48 (0x30) - SSLHandshake: SSL HandShake Client Key Exchange(0x10) EncryptedHandshakeMessage: Binary Large Object (48 Bytes)
Frame: Number = 1503, Captured Frame Length = 214, MediaType = NetEvent+ NetEvent: + MicrosoftWindowsNDISPacketCapture: Packet Fragment (113 (0x71) bytes)+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0C-29-B8-A8-CB],SourceAddress:[00-0C-29-68-01-37]+ Ipv4: Src = 192.168.12.35, Dest = 192.168.12.33, Next Protocol = TCP, Packet ID = 14275, Total IP Length = 99+ Tcp: Flags=...AP..., SrcPort=HTTPS(443), DstPort=57665, PayloadLen=59, Seq=472740261 - 472740320, Ack=2766570596, Win=255 (scale factor 0x8) = 65280 TLSSSLData: Transport Layer Security (TLS) Payload Data - TLS: TLS Rec Layer-1 Cipher Change Spec; TLS Rec Layer-2 HandShake: Encrypted Handshake Message. - TlsRecordLayer: TLS Rec Layer-1 Cipher Change Spec ContentType: Cipher Change Spec - Version: TLS 1.0 Major: 3 (0x3) Minor: 1 (0x1) Length: 1 (0x1)+ ChangeCipherSpec: 0x1 - TlsRecordLayer: TLS Rec Layer-2 HandShake: ContentType: HandShake: - Version: TLS 1.0 Major: 3 (0x3) Minor: 1 (0x1) Length: 48 (0x30) - SSLHandshake: SSL HandShake EncryptedHandshakeMessage: Binary Large Object (48 Bytes)
Then I get TCP packets being sent to the web server with bad checksums.
Frame: Number = 1522, Captured Frame Length = 155, MediaType = NetEvent+ NetEvent: + MicrosoftWindowsNDISPacketCapture: Packet Fragment (54 (0x36) bytes)+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0C-29-68-01-37],SourceAddress:[00-0C-29-B8-A8-CB]+ Ipv4: Src = 192.168.12.33, Dest = 192.168.12.35, Next Protocol = TCP, Packet ID = 13560, Total IP Length = 40+ Tcp: [Bad CheckSum]Flags=...A...F, SrcPort=57665, DstPort=HTTPS(443), PayloadLen=0, Seq=2766570596, Ack=472740320, Win=253 (scale factor 0x8) = 64768
This was working prior to the certificate expiring and I probably just need to install the new certificate somewhere else on the web server, but so far Google has not turned up anything useful. Thanks for your help in advance.