Cannot update SSL certificate for SQL 2k8 R2 SSRS

Question

We have a SSL certificate bound to 443 for the Web Service URL.  It's going to expire in a month.  So I attempted to change the bindings to use a new certificate.  I get the following error and details:

Create certificate binding.
We were unable to create the certificate binding.

Reserving url https://+:443
The url was successfully reserved.

Microsoft.ReportingServices.WmiProvider.WMIProviderException: An SSL binding already exists for the specified IP address and port combination.  The existing binding uses a different certificate from the current request. Only one certificate can be used for each IP address and port combination. To correct the problem, either use the same certificate as the existing binding, or remove the existing SSL binding and create a new binding using the certificate of the current request.

 ---> System.Runtime.InteropServices.COMException (0x80040238): Exception from HRESULT: 0x80040238
   --- End of inner exception stack trace ---
   at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.ThrowOnError(ManagementBaseObject mo)
   at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.CreateSSLCertificateBinding(String application, String certificateHash, String ipAddress, Int32 port)
   at ReportServicesConfigUI.WMIProvider.RSReportServerAdmin.CreateSSLCertificateBinding(UrlApplication app, String certificateHash, String ipAddress, Int32 port)

I tried several different attempts including unbinding port 443 altogether and the same error occurs.  I am able to roll back to the original certificate.

 

---

The Computer Shogun

Answer 1

Hi,

Can you check  private key is included properly in the certificate... maybe the former certificate export hadn't selected "enable export"

---

Regards, PS

Answer 2

Hi Jaxdagger,

Open the Reporting Services configuration tool, stop and start the services in the Instance page. Then, go to the Web Sevice URL page and select the certificate you want and apply the setting.

thanks,
Jerry

Answer 3

I am doing the same thing and I get the same error as the OP stated. stopping and starting the instance as suggested does not help. when I select the new SSL cert after doing that it still returns the same error - Create certificate binding. We were unable to create the certificate binding.

Answer 4

I found this - http://thinknook.com/ssrs-ssl-certificate-nightmare-2011-06-28/ it says to do this -

netsh http delete sslcert ipport=[::]:443

which would help remove/delete the existing binding but it is for Windows 2008 OS,

the commands don't work in Win 2003, which is what i have..... so am still stuck 

Answer 5

ok spoke to a friend who had faced this issue in the past and he had to open a MS support case to get the fix, so here's the fix for windows 2003 -

you need to use httpcfg (from Windows 2003 Support Tools) to delete/remove the "rogue" binding that does not get removed by the reporting services config tool.....

 

first i did a query, it showed me the rogue binding -

 

 

C:\>httpcfg query ssl

    IP                      : 0.0.0.0:443

    Hash                    : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Guid                    : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    CertStoreName           : (null)

    CertCheckMode           : 0

    RevocationFreshnessTime : 0

    UrlRetrievalTimeout     : 0

    SslCtlIdentifier        : (null)

    SslCtlStoreName         : (null)

    Flags                   : 0

------------------------------------------------------------------------------

 

so then i deleted it -

 

C:\>httpcfg delete ssl /i 0.0.0.0:443

HttpDeleteServiceConfiguration completed with 0.

 

after doing this i was able to select and add the new ssl cert thru the config tool.

 

 

Answer 6

This worked for me. Thank you very much.

Answer 7

Thanks. 

I needed to use this : netsh http delete sslcert ipport=0.0.0.0:443

For details about delete sslcert

see here: https://msdn.microsoft.com/en-us/library/windows/desktop/cc307229(v=vs.85).aspx

---

Chris