locked
SSL server certificate binding does't work after reboot RRS feed

  • Question

  • Hi all,
    I have a WCF host which uses wsHttpBinding and the security mode is TransportWithMessageCredential.
    The service host is currently a console application.
    I'm running Vista and I have used netsh to create the binding between port and server certificate:
    netsh http add sslcert ipport=0.0.0.0:8003 certhash=b3827067707abb1bd8da500e2216d77178f8a590 appid={3D414FC3-1C1C-4a90-8BC1-A37DD011EC31} clientcertnegotiation=disable usagecheck=disable verifyclientcertrevocation=disable certstorename=MY

    Everything is working fine until I reboot the server. From that moment on I will get this error message on the client:
    An error occurred while making the HTTP request to https://192.168.1.15:8003/. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case...

    When I now check the server certificate bindings with netsh http show sslcert, I  can still see my binding. Anyhow, the problem gets only solved when I remove and create the binding again.

    During the boot process this entry is added to the EventLog (Source: HttpEvent, Event ID: 15021):
    An error occured while using SSL configuration for socket address 0.0.0.0:8003.  The error status code is contained within the returned data.

    Any help is appreciated,
    Ulli

    Thursday, January 29, 2009 9:45 PM

Answers

  • You can see the problem even without using WCF.
    1.) Create certificate files. E.g.:
    makecert.exe -n CN=myPeerHost -sky exchange -a SHA1 -len 2048 -pe -r -sv myPeerHost.pvk myPeerHost.cer
    pvk2pfx.exe -pvk myPeerHost.pvk -spc myPeerHost.cer -pfx myPeerHost.pfx -f

    2.) Start mmc and add the certificate snap-in for CurrentUser and the certificate snap-in for LocalMachine
    3.) Right-click on the 'Personal' folder of the 'Current User' folder and choose 'All Tasks - Import...' and import the pfx file
    4.) Right-click on the imported certificate and choose 'Cut'
    5.) Right-click on the 'Personal' folder of the 'Local Machine' folder and choose 'Paste'
    6.) Register the certificate using netsh:
    netsh http add sslcert ipport=0.0.0.0:8003 certhash=<your cert hash> appid={E29FFF2F-BDFB-4848-A591-31C504CF5C51} clientcertnegotiation=disable usagecheck=disable verifyclientcertrevocation=disable certstorename=MY
    7.) Reboot the machine
    8.) Start the Event Viewer and look in Windows Logs\Sytem
    You will find three error entries (Source = HttpEvent):
    A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d.

    A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x80090016.

    An error occured while using SSL configuration for socket address 0.0.0.0:8003.  The error status code is contained within the returned data.


    As a consequence the certificate is no longer registrated with HTTP.SYS even though 'netsh http show sslcert' will show the registration.
    There will be no errors if you import the certificate directly into LocalMachine\My.
    There seems to be an issue when the private key is accessed during the boot process. If you import a certificate directly into LocalMachine\My then the private key is stored in \ProgramData\Microsoft\Crypto\RSA\MachineKeys. But if you import a certificate into CurrentUser\My the private key will be stored in \Users\<your username>\AppData\Roaming\Microsoft\Crypto\RSA. It will remain in that location even after you move the certificate from CurrentUser to LocalMachine (using mmc). I guess the problem is somehow related to the different locations of the files.
    As I'm now aware of this issue, it's no longer a problem for me. But if you are playing around with WCF and use certificates I suggest to directly import them into the correct store locations and not moving them around using the mmc certificate snap-in.

    Regards,
    Ulli
    Tuesday, February 17, 2009 2:18 PM

All replies

  • Hi Ulli,

    Is this a self-generated certificate? If so, how did you generate it? There are sometimes issues with registering those with IIS.
    Also, has the IP address of the server changed at all between reboots?

    You may also need to add your certificate to the Trusted Root Certification Authority using certmgr.msc.

    HTH!

    --Jason
    Thursday, February 5, 2009 3:29 AM
  • Sorry for the delay. Suddenly the problem had gone on two of three machines and I wanted to find out what was going on.
    @Jason: Yes, I'm working with self-generated certificates created by makecert.exe. But I'm not hosting the service in IIS but in a console application. The IP address was obtained through DHCP and did not change between the reboots.

    I tried to find out why suddenly the problem was gone on two of my machines and finally I found the cause of this trouble:
    The problem is not the certificate itself but the way how I installed it. My application is just a test application and thus I was playing around with many different settings. I started my tests with certificates in the CurrentUser stores and later moved them from CurrentUser to LocalMachine using the mmc certificate-snap-in. If I move the certificates from CurrentUser to LocalMachine before executing "netsh http add sslcert..." I will get the problem after rebooting the host machine as described in my initial post.
    But if I import my certificates directly into the LocalMachine stores before executing "netsh http add sslcert..." everything works fine even after rebooting the host machine.

    Steps to reproduce the problem (starting point is a new Vista Ultimate installation with latest updates, .NET Framework 3.5 SP1), using PeerTrust, ChainTrust shows the same problem:
    - Create certificate files:
    makecert.exe -n CN=myPeerHost -sky exchange -a SHA1 -len 2048 -pe -r -sv myPeerHost.pvk myPeerHost.cer
    pvk2pfx.exe -pvk myPeerHost.pvk -spc myPeerHost.cer -pfx myPeerHost.pfx -f
    makecert.exe -n CN=myPeerClient -sky exchange -a SHA1 -len 2048 -pe -r -sv myPeerClient.pvk myPeerClient.cer
    pvk2pfx.exe -pvk myPeerClient.pvk -spc myPeerClient.cer -pfx myPeerClient.pfx -f

    - Open firewall:
    netsh advfirewall firewall add rule name="WCF8003" dir=in action=allow profile=any localport=8003 protocol=tcp
    - Install myPeerClient.cer into LocalMachine\TrustedPeople:
    Import certificate using mmc certificate-snap-in

    Only Scenario 1:
    - Install myPeerHost.pfx into CurrentUser\My (using mmc certificate-snap-in)
    - Move myPeerHost certificate from CurrentUser\My to LocalMachine\My  (using mmc certificate-snap-in)

    Only Scenario 2:
    - Install myPeerHost.pfx into LocalMachine\My (using mmc certificate-snap-in)


    Scenario 1 and 2:
    - map certificate to port
    netsh http add sslcert ipport=0.0.0.0:8003 certhash=fdf82d3395e6ede49e4f328bbfac0fe4134f32c2 appid={E29FFF2F-BDFB-4848-A591-31C504CF5C51} clientcertnegotiation=disable usagecheck=disable verifyclientcertrevocation=disable certstorename=MY
    - grant user access to URL:
    netsh http add urlacl url=https://+:8003/ user=%USERNAME%

    Only Scenario 2:
    - grant access to private key
    winhttpcertcfg -g -c LOCAL_MACHINE\My -s myPeerHost -a %USERNAME%
    This is not necessary in scenario 1 because if you import a certificate with private key into a CurrentUser store the current user is automatically added to the private keys' ACL.

    Results:
    Scenario 1: The client can access the service until you reboot the host machine (see initial post).
    Scenario 2: Everything is fine!


    Does anybody know the reason for the different behavior?
    Thanks,
    Ulli

    Wednesday, February 11, 2009 2:58 PM
  • Hi Ulli,

    Unfortunately, I can't seem to reproduce this on my machine, it just works for me. There might be some specific configuration on my machine that's causing this difference...

    Is there anyone else out there that can see this behaviour?

    --Jason
    Thursday, February 12, 2009 7:18 PM
  • You can see the problem even without using WCF.
    1.) Create certificate files. E.g.:
    makecert.exe -n CN=myPeerHost -sky exchange -a SHA1 -len 2048 -pe -r -sv myPeerHost.pvk myPeerHost.cer
    pvk2pfx.exe -pvk myPeerHost.pvk -spc myPeerHost.cer -pfx myPeerHost.pfx -f

    2.) Start mmc and add the certificate snap-in for CurrentUser and the certificate snap-in for LocalMachine
    3.) Right-click on the 'Personal' folder of the 'Current User' folder and choose 'All Tasks - Import...' and import the pfx file
    4.) Right-click on the imported certificate and choose 'Cut'
    5.) Right-click on the 'Personal' folder of the 'Local Machine' folder and choose 'Paste'
    6.) Register the certificate using netsh:
    netsh http add sslcert ipport=0.0.0.0:8003 certhash=<your cert hash> appid={E29FFF2F-BDFB-4848-A591-31C504CF5C51} clientcertnegotiation=disable usagecheck=disable verifyclientcertrevocation=disable certstorename=MY
    7.) Reboot the machine
    8.) Start the Event Viewer and look in Windows Logs\Sytem
    You will find three error entries (Source = HttpEvent):
    A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d.

    A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x80090016.

    An error occured while using SSL configuration for socket address 0.0.0.0:8003.  The error status code is contained within the returned data.


    As a consequence the certificate is no longer registrated with HTTP.SYS even though 'netsh http show sslcert' will show the registration.
    There will be no errors if you import the certificate directly into LocalMachine\My.
    There seems to be an issue when the private key is accessed during the boot process. If you import a certificate directly into LocalMachine\My then the private key is stored in \ProgramData\Microsoft\Crypto\RSA\MachineKeys. But if you import a certificate into CurrentUser\My the private key will be stored in \Users\<your username>\AppData\Roaming\Microsoft\Crypto\RSA. It will remain in that location even after you move the certificate from CurrentUser to LocalMachine (using mmc). I guess the problem is somehow related to the different locations of the files.
    As I'm now aware of this issue, it's no longer a problem for me. But if you are playing around with WCF and use certificates I suggest to directly import them into the correct store locations and not moving them around using the mmc certificate snap-in.

    Regards,
    Ulli
    Tuesday, February 17, 2009 2:18 PM
  • Thanks for posting your findings, Ulli!

    I'm sure that this will help many people in the Community, in case they've ever run into something like this. Your contributions are very much appreciated :)
    Tuesday, February 17, 2009 6:35 PM
  • Thank you Ulli,
    I was banging my head all day over this one until I found your post.
    Same deal, my app has a self hosted web service in it.
    SSL would stop working every time I rebooted, and I would have to use netsh to delete and re-add the sslcert to get it working again.
    Slightly different in I was getting my certificate from my 2003 Server which installed the certificate to the CurrentUser Personal store automatically when I clicked the "Install Certificate" link, I had no choice where to import it.
    To fix, based on your suggestions,  I had to make sure my Certificate Request had "Mark keys as exportable" marked. Then after installing the certificate I had to Export it to a file, delete it out of the Current User Personal store then Import it in to the Local Computer Personal Store.
    It would have been nice to be able to cut and paste or drag and drop between the Stores, but every time I tried something would get lost and it would not work after reboot.
    Tim

    Tuesday, September 29, 2009 10:45 PM
  • Thank you, thank you, thank you.

    You saved my day. Microsoft KB and Windows Server help - not.

     

    Regards,

    Martin

    Thursday, February 10, 2011 6:55 PM

  • Is there anyone else out there that can see this behaviour?

    Hi,

    Windows Server 2008 R2 have the same issue when you try to install SSL certificate from backup and use it with RRAS SSTP (SSL VPN).

    It's easy to reproduce when you want to move certificate from one machine to another with using export/import functions in MMC Certificates snap-in:

    1) make a certificate backup/export (with private key) to PFX file on one machine,

    2) import certificate from PFX file by double-clicking on the file and move certificate from User Store to Machine Store in MMC Certificates snap-in,

    3) run configuration wizard for RRAS and start it,

    4) Windows (Vista SP2 or 7) clients will fail to connect with Error Code: 0x800704C9

    Why?

    The answer is that certificate is not binded to interface because of:

    "A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d."

    And "netsh http show ssl" shows nothing, instead info about binded certificate.

    Thursday, February 10, 2011 7:38 PM
  • Thanks, Exactly what was happening on my webserver!

    It solved my problem.


    MCSD

    Friday, May 24, 2013 12:03 PM