SSL not working

Hi

Have tried to enable SSL on a SBS2003 but when I require SSL the website
stops to respond.

Have installed CA services
Have created Certificate request
Have "downloaded" the pending request
Have appended the certificate to the default website

But when I put a checkmark in Require Secure Channel both
https://servername/exchange and http://servername/exchange stops responding

Have used the http://www.msechange.org/tutorials/SSL_Enabling_OWA_2003.htm l
as help

What could be wrong?
Tomppa

Re: SSL not working

Use SSLDiag to diagnose your configuration.

http://www.microsoft.com/downloads/details.aspx?FamilyID=cab ea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en

http://servername/exchange fails probably because of your HTTP->HTTPS
redirection (and https://servername/exchange is the one configuration
that fails). Because if HTTP is working prior to enabling "requiring
SSL" will only cause a 403.4 error to be returned, not stop
responding.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Jan 30, 11:23 pm, "Tommy Forsman" wrote:
> Hi
>
> Have tried to enable SSL on a SBS2003 but when I require SSL the website
> stops to respond.
>
> Have installed CA services
> Have created Certificate request
> Have "downloaded" the pending request
> Have appended the certificate to the default website
>
> But when I put a checkmark in Require Secure Channel bothhttps://servername/exchangeandhttp://servername/exchange stops responding
>
> Have used thehttp://www.msechange.org/tutorials/SSL_Enabling_OWA_2003. html
> as help
>
> What could be wrong?
> Tomppa

Re: SSL not working

I dont get any 403 error just "Internet Explorer cannot display the webpage"

SSLdiag only gives one error about certificatechain

Tomppa

"David Wang" wrote in message
news:1170289221.032300.67910@a75g2000cwd.googlegroups.com...
> Use SSLDiag to diagnose your configuration.
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=cab ea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en
>
> http://servername/exchange fails probably because of your HTTP->HTTPS
> redirection (and https://servername/exchange is the one configuration
> that fails). Because if HTTP is working prior to enabling "requiring
> SSL" will only cause a 403.4 error to be returned, not stop
> responding.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Jan 30, 11:23 pm, "Tommy Forsman" wrote:
>> Hi
>>
>> Have tried to enable SSL on a SBS2003 but when I require SSL the website
>> stops to respond.
>>
>> Have installed CA services
>> Have created Certificate request
>> Have "downloaded" the pending request
>> Have appended the certificate to the default website
>>
>> But when I put a checkmark in Require Secure Channel
>> bothhttps://servername/exchangeandhttp://servername/exchange stops
>> responding
>>
>> Have used
>> thehttp://www.msechange.org/tutorials/SSL_Enabling_OWA_2003. html
>> as help
>>
>> What could be wrong?
>> Tomppa
>
>

Re: SSL not working

"Internet Explorer cannot display the webpage" is not the same as
"stops responding". To see the real error, you need to disable "Show
Friendly HTTP Errors" option in Internet Explorer. Please report the
real error.

SSLDiag must run clean.

Please give the real errors and full details of tool output so that
other people can attempt to help you.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Feb 1, 2:29 am, "Tommy Forsman" wrote:
> I dont get any 403 error just "Internet Explorer cannot display the webpage"
>
> SSLdiag only gives one error about certificatechain
>
> Tomppa
>
> "David Wang" wrote in message
>
> news:1170289221.032300.67910@a75g2000cwd.googlegroups.com...
>
>
>
> > Use SSLDiag to diagnose your configuration.
>
> >http://www.microsoft.com/downloads/details.aspx?FamilyID=ca bea1d0-5a1...
>
> >http://servername/exchangefails probably because of your HTTP->HTTPS
> > redirection (andhttps://servername/exchangeis the one configuration
> > that fails). Because if HTTP is working prior to enabling "requiring
> > SSL" will only cause a 403.4 error to be returned, not stop
> > responding.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On Jan 30, 11:23 pm, "Tommy Forsman" wrote:
> >> Hi
>
> >> Have tried to enable SSL on a SBS2003 but when I require SSL the website
> >> stops to respond.
>
> >> Have installed CA services
> >> Have created Certificate request
> >> Have "downloaded" the pending request
> >> Have appended the certificate to the default website
>
> >> But when I put a checkmark in Require Secure Channel
> >> bothhttps://servername/exchangeandhttp://servername/exchange stops
> >> responding
>
> >> Have used
> >> thehttp://www.msechange.org/tutorials/SSL_Enabling_OWA_2003. html
> >> as help
>
> >> What could be wrong?
> >> Tomppa- Hide quoted text -
>
> - Show quoted text -

Re: SSL not working

Hi Tomppa,

I have to agree with David. SSLDiag is a pretty nice tool, and it's
saved me from many hair-pulling incidents. If it gives you an error,
you have to figure it out and fix it.

You indicated that it gave you an error about "certificatechain". I
suspect that you possibly may not have installed the CA's certificate(s)
into Windows?

Try double-clicking on the server cert that you got, then click on the
"Certification Path" tab. If you see any "red X", that means that the
server cert can't be validated to the root CA's cert.

Jim



David Wang wrote:
> "Internet Explorer cannot display the webpage" is not the same as
> "stops responding". To see the real error, you need to disable "Show
> Friendly HTTP Errors" option in Internet Explorer. Please report the
> real error.
>
> SSLDiag must run clean.
>
> Please give the real errors and full details of tool output so that
> other people can attempt to help you.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
> On Feb 1, 2:29 am, "Tommy Forsman" wrote:
>> I dont get any 403 error just "Internet Explorer cannot display the webpage"
>>
>> SSLdiag only gives one error about certificatechain
>>
>> Tomppa
>>
>> "David Wang" wrote in message
>>
>> news:1170289221.032300.67910@a75g2000cwd.googlegroups.com...
>>
>>
>>
>>> Use SSLDiag to diagnose your configuration.
>>> http://www.microsoft.com/downloads/details.aspx?FamilyID=cab ea1d0-5a1...
>>> http://servername/exchangefails probably because of your HTTP->HTTPS
>>> redirection (andhttps://servername/exchangeis the one configuration
>>> that fails). Because if HTTP is working prior to enabling "requiring
>>> SSL" will only cause a 403.4 error to be returned, not stop
>>> responding.
>>> //David
>>> http://w3-4u.blogspot.com
>>> http://blogs.msdn.com/David.Wang
>>> //
>>> On Jan 30, 11:23 pm, "Tommy Forsman" wrote:
>>>> Hi
>>>> Have tried to enable SSL on a SBS2003 but when I require SSL the website
>>>> stops to respond.
>>>> Have installed CA services
>>>> Have created Certificate request
>>>> Have "downloaded" the pending request
>>>> Have appended the certificate to the default website
>>>> But when I put a checkmark in Require Secure Channel
>>>> bothhttps://servername/exchangeandhttp://servername/exchange stops
>>>> responding
>>>> Have used
>>>> thehttp://www.msechange.org/tutorials/SSL_Enabling_OWA_2003. html
>>>> as help
>>>> What could be wrong?
>>>> Tomppa- Hide quoted text -
>> - Show quoted text -
>
>

Re: SSL not working

This is what SSLdiag says:

#WARNING:CertVerifyCertificateChainPolicy returned
error -2146762480(0x800b0110)

#WARNING:Error 0x800b0110 : The server certificate is not valid for the
requested usage

How to fix: Install or assign the correct type of certificate. In IIS
Manager, right-click the Web site, and then click Properties. On the
Directory Security tab, click Server Certificate. In the wizard, install or
assign a server certificate.

I disabled "Show Friendly HTTP Errors" but I still get "Internet Explorer
cannot display the webpage"

Thanks for helping me.
Tomppa

"David Wang" wrote in message
news:1170369165.400489.241350@l53g2000cwa.googlegroups.com.. .
> "Internet Explorer cannot display the webpage" is not the same as
> "stops responding". To see the real error, you need to disable "Show
> Friendly HTTP Errors" option in Internet Explorer. Please report the
> real error.
>
> SSLDiag must run clean.
>
> Please give the real errors and full details of tool output so that
> other people can attempt to help you.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
> On Feb 1, 2:29 am, "Tommy Forsman" wrote:
>> I dont get any 403 error just "Internet Explorer cannot display the
>> webpage"
>>
>> SSLdiag only gives one error about certificatechain
>>
>> Tomppa
>>
>> "David Wang" wrote in message
>>
>> news:1170289221.032300.67910@a75g2000cwd.googlegroups.com...
>>
>>
>>
>> > Use SSLDiag to diagnose your configuration.
>>
>> >http://www.microsoft.com/downloads/details.aspx?FamilyID=ca bea1d0-5a1...
>>
>> >http://servername/exchangefails probably because of your HTTP->HTTPS
>> > redirection (andhttps://servername/exchangeis the one configuration
>> > that fails). Because if HTTP is working prior to enabling "requiring
>> > SSL" will only cause a 403.4 error to be returned, not stop
>> > responding.
>>
>> > //David
>> >http://w3-4u.blogspot.com
>> >http://blogs.msdn.com/David.Wang
>> > //
>>
>> > On Jan 30, 11:23 pm, "Tommy Forsman" wrote:
>> >> Hi
>>
>> >> Have tried to enable SSL on a SBS2003 but when I require SSL the
>> >> website
>> >> stops to respond.
>>
>> >> Have installed CA services
>> >> Have created Certificate request
>> >> Have "downloaded" the pending request
>> >> Have appended the certificate to the default website
>>
>> >> But when I put a checkmark in Require Secure Channel
>> >> bothhttps://servername/exchangeandhttp://servername/exchange stops
>> >> responding
>>
>> >> Have used
>> >> thehttp://www.msechange.org/tutorials/SSL_Enabling_OWA_2003. html
>> >> as help
>>
>> >> What could be wrong?
>> >> Tomppa- Hide quoted text -
>>
>> - Show quoted text -
>
>

Re: SSL not working

See my post to David for the errors
Certification path says that certicate is ok

Tomppa

"ohaya" wrote in message
news:OEy5JVoRHHA.1000@TK2MSFTNGP05.phx.gbl...
> Hi Tomppa,
>
> I have to agree with David. SSLDiag is a pretty nice tool, and it's saved
> me from many hair-pulling incidents. If it gives you an error, you have
> to figure it out and fix it.
>
> You indicated that it gave you an error about "certificatechain". I
> suspect that you possibly may not have installed the CA's certificate(s)
> into Windows?
>
> Try double-clicking on the server cert that you got, then click on the
> "Certification Path" tab. If you see any "red X", that means that the
> server cert can't be validated to the root CA's cert.
>
> Jim
>
>
>
> David Wang wrote:
>> "Internet Explorer cannot display the webpage" is not the same as
>> "stops responding". To see the real error, you need to disable "Show
>> Friendly HTTP Errors" option in Internet Explorer. Please report the
>> real error.
>>
>> SSLDiag must run clean.
>>
>> Please give the real errors and full details of tool output so that
>> other people can attempt to help you.
>>
>>
>> //David
>> http://w3-4u.blogspot.com
>> http://blogs.msdn.com/David.Wang
>> //
>>
>>
>>
>>
>> On Feb 1, 2:29 am, "Tommy Forsman" wrote:
>>> I dont get any 403 error just "Internet Explorer cannot display the
>>> webpage"
>>>
>>> SSLdiag only gives one error about certificatechain
>>>
>>> Tomppa
>>>
>>> "David Wang" wrote in message
>>>
>>> news:1170289221.032300.67910@a75g2000cwd.googlegroups.com...
>>>
>>>
>>>
>>>> Use SSLDiag to diagnose your configuration.
>>>> http://www.microsoft.com/downloads/details.aspx?FamilyID=cab ea1d0-5a1...
>>>> http://servername/exchangefails probably because of your HTTP->HTTPS
>>>> redirection (andhttps://servername/exchangeis the one configuration
>>>> that fails). Because if HTTP is working prior to enabling "requiring
>>>> SSL" will only cause a 403.4 error to be returned, not stop
>>>> responding.
>>>> //David
>>>> http://w3-4u.blogspot.com
>>>> http://blogs.msdn.com/David.Wang
>>>> //
>>>> On Jan 30, 11:23 pm, "Tommy Forsman" wrote:
>>>>> Hi
>>>>> Have tried to enable SSL on a SBS2003 but when I require SSL the
>>>>> website
>>>>> stops to respond.
>>>>> Have installed CA services
>>>>> Have created Certificate request
>>>>> Have "downloaded" the pending request
>>>>> Have appended the certificate to the default website
>>>>> But when I put a checkmark in Require Secure Channel
>>>>> bothhttps://servername/exchangeandhttp://servername/exchange stops
>>>>> responding
>>>>> Have used
>>>>> thehttp://www.msechange.org/tutorials/SSL_Enabling_OWA_2003. html
>>>>> as help
>>>>> What could be wrong?
>>>>> Tomppa- Hide quoted text -
>>> - Show quoted text -
>>

Re: SSL not working

What type of certificate did you assign for SSL, and did you import
its private key into the LocalSystem's trusted store. You may want to
use a tool like SelfSSL from the IIS Resource Toolkit to set things up
automatically with a single command.
http://www.microsoft.com/downloads/details.aspx?FamilyID=56f c92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en

http://www.microsoft.com/windowsserver2003/iis/diagnostictoo ls/default.mspx

Now, until you fix the error identified by SSLDiag:

1. https://servername/exchange -- will keep failing with "Internet
Explorer cannot display the webpage" since SSL connection failed to
establish because the Server's Certificate is not valid for server use

2. http://servername/exchange -- likely setup to auto-redirect from
HTTP->HTTPS, at which point it will also fail in the same way as above
after the redirection

3. *IF* http://servername/exchange is not set up to auto-redirect,
then you would have gotten a 403.4 error response when you configured
"SSL Required", which you would see if "Show Friendly HTTP Errors" is
disabled in Internet Explorer. Since you did not see this, you have
probably configured auto-redirection.

In other words, just fix your server certificate. Just because it's
"ok" doesn't mean it is suitable. It's like at Immigration at US
Borders - when Border Patrol asks you for a valid Passport, you can't
just give them your Driver's License, even though both are valid.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Feb 2, 3:39 am, "Tommy Forsman" wrote:
> This is what SSLdiag says:
>
> #WARNING:CertVerifyCertificateChainPolicy returned
> error -2146762480(0x800b0110)
>
> #WARNING:Error 0x800b0110 : The server certificate is not valid for the
> requested usage
>
> How to fix: Install or assign the correct type of certificate. In IIS
> Manager, right-click the Web site, and then click Properties. On the
> Directory Security tab, click Server Certificate. In the wizard, install or
> assign a server certificate.
>
> I disabled "Show Friendly HTTP Errors" but I still get "Internet Explorer
> cannot display the webpage"
>
> Thanks for helping me.
> Tomppa
>
> "David Wang" wrote in message
>
> news:1170369165.400489.241350@l53g2000cwa.googlegroups.com.. .
>
>
>
> > "Internet Explorer cannot display the webpage" is not the same as
> > "stops responding". To see the real error, you need to disable "Show
> > Friendly HTTP Errors" option in Internet Explorer. Please report the
> > real error.
>
> > SSLDiag must run clean.
>
> > Please give the real errors and full details of tool output so that
> > other people can attempt to help you.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On Feb 1, 2:29 am, "Tommy Forsman" wrote:
> >> I dont get any 403 error just "Internet Explorer cannot display the
> >> webpage"
>
> >> SSLdiag only gives one error about certificatechain
>
> >> Tomppa
>
> >> "David Wang" wrote in message
>
> >>news:1170289221.032300.67910@a75g2000cwd.googlegroups.com. ..
>
> >> > Use SSLDiag to diagnose your configuration.
>
> >> >http://www.microsoft.com/downloads/details.aspx?FamilyID=ca bea1d0-5a1...
>
> >> >http://servername/exchangefailsprobably because of your HTTP->HTTPS
> >> > redirection (andhttps://servername/exchangeisthe one configuration
> >> > that fails). Because if HTTP is working prior to enabling "requiring
> >> > SSL" will only cause a 403.4 error to be returned, not stop
> >> > responding.
>
> >> > //David
> >> >http://w3-4u.blogspot.com
> >> >http://blogs.msdn.com/David.Wang
> >> > //
>
> >> > On Jan 30, 11:23 pm, "Tommy Forsman" wrote:
> >> >> Hi
>
> >> >> Have tried to enable SSL on a SBS2003 but when I require SSL the
> >> >> website
> >> >> stops to respond.
>
> >> >> Have installed CA services
> >> >> Have created Certificate request
> >> >> Have "downloaded" the pending request
> >> >> Have appended the certificate to the default website
>
> >> >> But when I put a checkmark in Require Secure Channel
> >> >> bothhttps://servername/exchangeandhttp://servername/exchange stops
> >> >> responding
>
> >> >> Have used
> >> >> thehttp://www.msechange.org/tutorials/SSL_Enabling_OWA_2003. html
> >> >> as help
>
> >> >> What could be wrong?
> >> >> Tomppa- Hide quoted text -
>
> >> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

Re: SSL not working

Hi
I have followed these steps:
http://www.msechange.org/tutorials/SSL_Enabling_OWA_2003.htm l

Tomppa

"David Wang" wrote in message
news:1170456055.615099.279510@h3g2000cwc.googlegroups.com...
> What type of certificate did you assign for SSL, and did you import
> its private key into the LocalSystem's trusted store. You may want to
> use a tool like SelfSSL from the IIS Resource Toolkit to set things up
> automatically with a single command.
> http://www.microsoft.com/downloads/details.aspx?FamilyID=56f c92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en
>
> http://www.microsoft.com/windowsserver2003/iis/diagnostictoo ls/default.mspx
>
> Now, until you fix the error identified by SSLDiag:
>
> 1. https://servername/exchange -- will keep failing with "Internet
> Explorer cannot display the webpage" since SSL connection failed to
> establish because the Server's Certificate is not valid for server use
>
> 2. http://servername/exchange -- likely setup to auto-redirect from
> HTTP->HTTPS, at which point it will also fail in the same way as above
> after the redirection
>
> 3. *IF* http://servername/exchange is not set up to auto-redirect,
> then you would have gotten a 403.4 error response when you configured
> "SSL Required", which you would see if "Show Friendly HTTP Errors" is
> disabled in Internet Explorer. Since you did not see this, you have
> probably configured auto-redirection.
>
> In other words, just fix your server certificate. Just because it's
> "ok" doesn't mean it is suitable. It's like at Immigration at US
> Borders - when Border Patrol asks you for a valid Passport, you can't
> just give them your Driver's License, even though both are valid.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Feb 2, 3:39 am, "Tommy Forsman" wrote:
>> This is what SSLdiag says:
>>
>> #WARNING:CertVerifyCertificateChainPolicy returned
>> error -2146762480(0x800b0110)
>>
>> #WARNING:Error 0x800b0110 : The server certificate is not valid for the
>> requested usage
>>
>> How to fix: Install or assign the correct type of certificate. In IIS
>> Manager, right-click the Web site, and then click Properties. On the
>> Directory Security tab, click Server Certificate. In the wizard, install
>> or
>> assign a server certificate.
>>
>> I disabled "Show Friendly HTTP Errors" but I still get "Internet Explorer
>> cannot display the webpage"
>>
>> Thanks for helping me.
>> Tomppa
>>
>> "David Wang" wrote in message
>>
>> news:1170369165.400489.241350@l53g2000cwa.googlegroups.com.. .
>>
>>
>>
>> > "Internet Explorer cannot display the webpage" is not the same as
>> > "stops responding". To see the real error, you need to disable "Show
>> > Friendly HTTP Errors" option in Internet Explorer. Please report the
>> > real error.
>>
>> > SSLDiag must run clean.
>>
>> > Please give the real errors and full details of tool output so that
>> > other people can attempt to help you.
>>
>> > //David
>> >http://w3-4u.blogspot.com
>> >http://blogs.msdn.com/David.Wang
>> > //
>>
>> > On Feb 1, 2:29 am, "Tommy Forsman" wrote:
>> >> I dont get any 403 error just "Internet Explorer cannot display the
>> >> webpage"
>>
>> >> SSLdiag only gives one error about certificatechain
>>
>> >> Tomppa
>>
>> >> "David Wang" wrote in message
>>
>> >>news:1170289221.032300.67910@a75g2000cwd.googlegroups.com. ..
>>
>> >> > Use SSLDiag to diagnose your configuration.
>>
>> >> >http://www.microsoft.com/downloads/details.aspx?FamilyID=ca bea1d0-5a1...
>>
>> >> >http://servername/exchangefailsprobably because of your HTTP->HTTPS
>> >> > redirection (andhttps://servername/exchangeisthe one configuration
>> >> > that fails). Because if HTTP is working prior to enabling "requiring
>> >> > SSL" will only cause a 403.4 error to be returned, not stop
>> >> > responding.
>>
>> >> > //David
>> >> >http://w3-4u.blogspot.com
>> >> >http://blogs.msdn.com/David.Wang
>> >> > //
>>
>> >> > On Jan 30, 11:23 pm, "Tommy Forsman" wrote:
>> >> >> Hi
>>
>> >> >> Have tried to enable SSL on a SBS2003 but when I require SSL the
>> >> >> website
>> >> >> stops to respond.
>>
>> >> >> Have installed CA services
>> >> >> Have created Certificate request
>> >> >> Have "downloaded" the pending request
>> >> >> Have appended the certificate to the default website
>>
>> >> >> But when I put a checkmark in Require Secure Channel
>> >> >> bothhttps://servername/exchangeandhttp://servername/exchange stops
>> >> >> responding
>>
>> >> >> Have used
>> >> >> thehttp://www.msechange.org/tutorials/SSL_Enabling_OWA_2003. html
>> >> >> as help
>>
>> >> >> What could be wrong?
>> >> >> Tomppa- Hide quoted text -
>>
>> >> - Show quoted text -- Hide quoted text -
>>
>> - Show quoted text -
>
>