Help needed! SSL certificate replaced, but site delivers old one still?!

Question

User1710988749 posted
I have only one web site that uses SSL. The old certificate is still valid for two weeks, but I decided to replace it with a new certificate from another CA (due to payment issues with the old CA). I followed the Microsoft KB article "How To Renew or Create New Certificate Signing Request While Another Certificate Is Currently Installed" (http://support.microsoft.com/kb/295281), and replaced the certificate successfully. However when I browse to a web site from a browser, the certificate delivered by the site is the old certificate. This worries me, as the certificate goes out of date in two weeks. I have started and stopped the SSL web site. I have restarted IIS completely. I have verified that the new certificate hash is correct in the IIS metabase and that it is the only certificate hash in the metabase. I can't figure out why the certificate displayed is the old one despite the fact that the web site does no longer use it in the IIS manager. Can anyone tell me how I can fix this?

Answer 1

User1632528892 posted

Hi,

Have you completely removed the old certificate from the Local machine certificate store on your server ? If it is removed from there then there's no way IIS can still be using the old certificate. You can also try clearing the SSL state from your browser if you are using IE.

How to troubleshoot problems accessing secure Web pages with Internet Explorer 6 Service Pack 2

And you could also try running SSLDiag if you are still unable to resolve the issue.

<basefont>SSL Diagnostics Version 1.1 (x86)

Regards,

 

Answer 2

User1710988749 posted
Thanks Paul, that SSL Diagnostic utility shed some light on the situation. SSL Diagnostics main window says the certificate is the new one, but when I use the Probe SSL method and probe the site it gives the old certificate. The site is built upon MOSS. Could this have anything to do with it? What I've looked up, it seems that all configuration should be done from IIS, and not from MOSS itself. I haven't yet completely removed the old certificate, in case something would go awry in the process...

Answer 3

User1632528892 posted

Hi,

It sounds as though Sharepoint is still using the old certificate so you may have to configure the new certificate for use within Sharepoint itself.

Regards, 

Answer 4

User1710988749 posted
MOSS 2007 should always use the certificate specified in IIS. I tried removing the old certificate from the local computer's personal certificate store. It didn't affect the site. The secure site still uses the old certificate despite the removal. Do you have any ideas on how I can fix this? I'm starting to consider rebooting the server, which I'm very reluctant to do. Oh and btw, why don't my empty lines show up in the final post once I've posted it? In the editor I can see the paragrahps separated, but not in the post itself... All other users posts have empty lines between paragraphs. :/

Answer 5

User1632528892 posted

MOSS 2007 should always use the certificate specified in IIS. I tried removing the old certificate from the local computer's personal certificate store. It didn't affect the site. The secure site still uses the old certificate despite the removal.

That would suggest that maybe MOSS is caching the certificate internally, or maybe you've found a bug in MOSS, I'm not 100% sure.

I haven't got any experience of using SSL with MOSS but I would approach this issue by removing the SSL setting from the MOSS site, then removing the old certificate from the server and then re-enabling the SSL requirement on the MOSS site and specifying the new certificate.

In the meantime I'm off to research how MOSS handles SSL certificates because what you are describing suggests that MOSS is keeping its own internal reference to the SSL cert as opposed to relying on the local machine store.

Regards, 

Answer 6

User1710988749 posted
The server in question is a front end server visible to our customers. Thus I'm rather reluctant to do changes to the MOSS site itself. SSL is enabled upon creation of the MOSS site. Thus it's not just a setting that can be arbitrary turned on and off (though I've read vague methods of enabling SSL on MOSS sites that we're non-SSL). Booting the server is an option, though... Unless you can come up with another suggestion?

Answer 7

User1632528892 posted

 OK, it looks like it isn't a bug but is actually expected behaviour as explained here :

http://blogs.msdn.com/joelo/archive/2007/01/02/relationship-between-the-iis-metabase-and-sharepoint-configuration-database.aspx

However, you may want to ask this question over in the Sharepoint forums to get further clarification of the issue :

http://forums.microsoft.com/MSDN/default.aspx?ForumGroupID=328&SiteID=1

Regards, 

Answer 8

User1710988749 posted
Thanks Paul, your support has definitely helped me here. I'll continue my investigation at the SharePoint forums. :)

Answer 9

User1632528892 posted

You're welcome. Please let us know what advice you get from the Sharepoint experts - I'm actually genuinely interested in finding out what's happening here.

Regards, 

Answer 10

User930989739 posted

I don't see how Sharepoint would affect the SSL handling. What version of IIS are you using?  I assume it is IIS 6.0.

Do you by any chance have enabled kernel mode SSL for the IIS 6 (introduced in Win 2003 SP1?). My recollection is that kernel mode SSL on Win2003 doesn't handled change notifications for certificates (beside other limitations). For more details see the following link: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6df8492c-02d6-45bf-a74e-0990d5654ff5.mspx?mfr=true

 

Answer 11

User1710988749 posted
Yes, we're using IIS 6.0. Windows Server 2003 SP2. I checked, and yes, kernel mode SSL was enabled. I disabled it in regedit, restarted IIS. Didn't affect the Sharepoint site. I tried shutting down SharePoint Web Service, which basically removes the IIS sites and recreates them from the SharePoint database when the service is started again. Once they're recreated, there is no SSL certificate specified in IIS. Outrageously though if I connect to the SSL site, SharePoint still gives me the old certificate. If I assign the new certificate in IIS to the SSL SharePoint site, it doesnt affect it. It still uses the old certificate.

Answer 12

User1632528892 posted

Hi,

Having re-read Joel Olson's blog post I think that my understanding of the process is incorrect - I think Sharepoint only stores the fact that a site is SSL enabled - it doesn't appear to know anything about the certificate in use, which makes more sense in hindsight.

You say that you have re-started IIS and it hasn't made any difference, so assuming that you haven't already re-booted the machine at this point I would suggest doing the following :

1. Issue an iisreset /stop command

2. Then type net stop http followed by net start http

3. Issue an iisreset /start command

Now, try browsing to your Sharepoint site over SSL and see what happens.

If you still get the old cert then my only other suggestions would be that maybe you have got more than one front-end web server in your Sharepoint farm (with the old certificate installed on your other server) or that maybe there is a hardware SSL accelerator on your network with the old cert installed on it. I don't know what else to suggest, I've never seen anything like this before.

Regards, 

Answer 13

User1710988749 posted
Excellent advice Paul Lynch! That was the solution. I did what you suggested and it started working, didn't even need to boot. I owe you my thanks indeed! With kind regards, Synocus

Answer 14

User989702501 posted

do you have HTTPS service running?

I forgot, I recalled in IIS 7 - we can net stop https ? only require to recycle the HTTPS service

Answer 15

User1710988749 posted
It's a little late to test that, as the SSL site as well as HTTPS works now. I have no need to restart it anymore.

Answer 16

User930989739 posted

He has kernel mode SSL enabled so recycling httpssl service wouldn't help