Quantcast
Channel: General
Viewing all articles
Browse latest Browse all 7363

Certificate Expired on IIS 7.5 and ARR Servers: New Certificate Does Not Work

$
0
0

This is in our development environment routing server, single web server, no reverse proxy. The certificate (self-signed by the ARR server) expired. I deleted the old certificate and generated a new one. I have installed it on both the ARR server and the IIS webserver through IIS Manager / Server Certificates. However, when I try using HTTPS I get a 502.3 error with an error code of 2147954575 from the ARR module. I don't find any errors on the web server. Failed request tracing is enabled for both servers. Also tracing the TLS Frames:

  Frame: Number = 1456, Captured Frame Length = 250, MediaType = NetEvent+ NetEvent: + MicrosoftWindowsNDISPacketCapture: Packet Fragment (149 (0x95) bytes)+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0C-29-68-01-37],SourceAddress:[00-0C-29-B8-A8-CB]+ Ipv4: Src = 192.168.12.33, Dest = 192.168.12.35, Next Protocol = TCP, Packet ID = 13558, Total IP Length = 135+ Tcp:  [Bad CheckSum]Flags=...AP..., SrcPort=57665, DstPort=HTTPS(443), PayloadLen=95, Seq=2766570175 - 2766570270, Ack=472739393, Win=256 (scale factor 0x8) = 65536
  TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 HandShake: Client Hello.
  - TlsRecordLayer: TLS Rec Layer-1 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 90 (0x5A)
   - SSLHandshake: SSL HandShake ClientHello(0x01)
      HandShakeType: ClientHello(0x01)
      Length: 86 (0x56)
    - ClientHello: TLS 1.0+ Version: TLS 1.0+ RandomBytes: 
       SessionIDLength: 0 (0x0)
       CipherSuitesLength: 24+ TLSCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA            { 0x00, 0x2F }+ TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA            { 0x00, 0x35 }+ TLSCipherSuites: TLS_RSA_WITH_RC4_128_SHA                { 0x00,0x05 }+ TLSCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA           { 0x00,0x0A }+ TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      { 0xC0,0x13 }+ TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      { 0xC0,0x14 }+ TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    { 0xC0,0x09 }+ TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    { 0xC0,0x0A }+ TLSCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA        { 0x00, 0x32 }+ TLSCipherSuites: TLS_DHE_DSS_WITH_AES_256_CBC_SHA        { 0x00, 0x38 }+ TLSCipherSuites: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA        { 0x00,0x13 }+ TLSCipherSuites: TLS_RSA_WITH_RC4_128_MD5                { 0x00,0x04 }
       CompressionMethodsLength: 1 (0x1)
       CompressionMethods: 0 (0x0)
       ExtensionsLength: 21 (0x15)+ ClientHelloExtension: Renegotiation Info(0xFF01)+ ClientHelloExtension: Elliptic Curves(0x000A)+ ClientHelloExtension: EC Point Formats(0x000B)
  Frame: Number = 1470, Captured Frame Length = 1023, MediaType = NetEvent+ NetEvent: + MicrosoftWindowsNDISPacketCapture: Packet Fragment (922 (0x39A) bytes)+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0C-29-B8-A8-CB],SourceAddress:[00-0C-29-68-01-37]+ Ipv4: Src = 192.168.12.35, Dest = 192.168.12.33, Next Protocol = TCP, Packet ID = 14274, Total IP Length = 908+ Tcp: Flags=...AP..., SrcPort=HTTPS(443), DstPort=57665, PayloadLen=868, Seq=472739393 - 472740261, Ack=2766570270, Win=256 (scale factor 0x8) = 65536
  TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 HandShake: Server Hello. Certificate. Server Hello Done.
  - TlsRecordLayer: TLS Rec Layer-1 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 863 (0x35F)
   - SSLHandshake: SSL HandShake Server Hello Done(0x0E)
      HandShakeType: ServerHello(0x02)
      Length: 77 (0x4D)+ ServerHello: 0x1
      HandShakeType: Certificate(0x0B)
      Length: 774 (0x306)+ Cert: 0x1
      HandShakeType: Server Hello Done(0x0E)
      Length: 0 (0x0)
  Frame: Number = 1489, Captured Frame Length = 481, MediaType = NetEvent+ NetEvent: + MicrosoftWindowsNDISPacketCapture: Packet Fragment (380 (0x17C) bytes)+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0C-29-68-01-37],SourceAddress:[00-0C-29-B8-A8-CB]+ Ipv4: Src = 192.168.12.33, Dest = 192.168.12.35, Next Protocol = TCP, Packet ID = 13559, Total IP Length = 366+ Tcp:  [Bad CheckSum]Flags=...AP..., SrcPort=57665, DstPort=HTTPS(443), PayloadLen=326, Seq=2766570270 - 2766570596, Ack=472740261, Win=253 (scale factor 0x8) = 64768
  TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 HandShake: Client Key Exchange.; TLS Rec Layer-2 Cipher Change Spec; TLS Rec Layer-3 HandShake: Encrypted Handshake Message.
  - TlsRecordLayer: TLS Rec Layer-1 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 262 (0x106)
   - SSLHandshake: SSL HandShake Client Key Exchange(0x10)
      HandShakeType: Client Key Exchange(0x10)
      Length: 258 (0x102)
      ClientKeyExchange: Binary Large Object (258 Bytes)
  - TlsRecordLayer: TLS Rec Layer-2 Cipher Change Spec
     ContentType: Cipher Change Spec
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 1 (0x1)+ ChangeCipherSpec: 0x1
  - TlsRecordLayer: TLS Rec Layer-3 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 48 (0x30)
   - SSLHandshake: SSL HandShake Client Key Exchange(0x10)
      EncryptedHandshakeMessage: Binary Large Object (48 Bytes)
  Frame: Number = 1503, Captured Frame Length = 214, MediaType = NetEvent+ NetEvent: + MicrosoftWindowsNDISPacketCapture: Packet Fragment (113 (0x71) bytes)+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0C-29-B8-A8-CB],SourceAddress:[00-0C-29-68-01-37]+ Ipv4: Src = 192.168.12.35, Dest = 192.168.12.33, Next Protocol = TCP, Packet ID = 14275, Total IP Length = 99+ Tcp: Flags=...AP..., SrcPort=HTTPS(443), DstPort=57665, PayloadLen=59, Seq=472740261 - 472740320, Ack=2766570596, Win=255 (scale factor 0x8) = 65280
  TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 Cipher Change Spec; TLS Rec Layer-2 HandShake: Encrypted Handshake Message.
  - TlsRecordLayer: TLS Rec Layer-1 Cipher Change Spec
     ContentType: Cipher Change Spec
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 1 (0x1)+ ChangeCipherSpec: 0x1
  - TlsRecordLayer: TLS Rec Layer-2 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 48 (0x30)
   - SSLHandshake: SSL HandShake 
      EncryptedHandshakeMessage: Binary Large Object (48 Bytes)

Then I get TCP packets being sent to the web server with bad checksums.

  Frame: Number = 1522, Captured Frame Length = 155, MediaType = NetEvent+ NetEvent: + MicrosoftWindowsNDISPacketCapture: Packet Fragment (54 (0x36) bytes)+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-0C-29-68-01-37],SourceAddress:[00-0C-29-B8-A8-CB]+ Ipv4: Src = 192.168.12.33, Dest = 192.168.12.35, Next Protocol = TCP, Packet ID = 13560, Total IP Length = 40+ Tcp:  [Bad CheckSum]Flags=...A...F, SrcPort=57665, DstPort=HTTPS(443), PayloadLen=0, Seq=2766570596, Ack=472740320, Win=253 (scale factor 0x8) = 64768

This was working prior to the certificate expiring and I probably just need to install the new certificate somewhere else on the web server, but so far Google has not turned up anything useful. Thanks for your help in advance.


Viewing all articles
Browse latest Browse all 7363

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>