Re: Win2003 Upgrade Broke SSL?

From: JohnF (JohnF_at_discussions.microsoft.com)
Date: 03/02/05 

Date: Tue, 1 Mar 2005 18:47:07 -0800

Thanks for your help...

netstat -o is not showing anything on 443, which is a little strange. I've
done a screen dump and there is no reference to 443 at all as I scroll
through the dump.

I've just noticed windows update won't work either (unrelated but I wonder
if it has something to do with it...). Windows update is telling me that my
clock is not the correct time, which it is. It won't let me update the
hotfixes.

Could this be at all related?

I am a little confused at the reply that Upgrading to Win2003 did not break
it. I had upgraded a Win2k server running Exch2000 to Exchange 2003 as per
the MSKB. I was well aware that Exchange had to be upgraded first. When I
tested OWA2003 from a client, it worked fine. This means after Exchange 2003
was upgraded "over the top" IIS was still working. As soon as I upgraded the
OS (from Win2000 to Win2003 server) the IIS service would no longer start,
and this is when I realised it was because port 443 wouldn't start, so IIS
just came up with an error about not starting. I only fumbled on to the
revelation that port 443 was blocking it, because the error message about
"IIS not starting" was not helpful. As soon as I realised 443 was stopping
IIS starting, I simply changed the SSL-setting in IIS properties to 444 and
it started fine. Now my problem is I need to get SSL working back on 443 as
it should (and was prior to the 2003 upgrade).

I'm confused because prior to upgrading to Win2003, IIS was fine. I had no
errors in starting it, and it served OWA2000 and then OWA2003 requests
perfectly. It was only after installing Win2003 server over the top that IIS
"broke" for want of a better explanation.

Any help greatly appreciated.

John.

"David Wang [Msft]" wrote:

> netstat -o
>
> should show the PID of the process that is listening on port 443, so check
> to see if there is a conflict. svchost.exe should be the owner if IIS has
> it. If it is not IIS, then you need to take care of server configuration
> such that this is no longer a problem
>
>
> In general, I doubt that "Win2003 upgrade broke SSL" since as you noted, SSL
> wasn't even working before the upgrade, so I doubt there was anything to
> break.
>
> What I suspect is that you have some other program that is using port 443,
> and on upgrade, when Exchange tried to claim port 443 for SSL, it was unable
> to (since the port was already claimed by another application), and so IIS
> fails to start up that website (failure to claim binding for a website is
> sufficient reason to fail the website). I am not certain that you will ever
> find posts with people talking about this sort of "problem" since it amounts
> to user error. If you configure multiple programs to use the same IP:Port
> binding, all but the first will fail, and the pattern will be different,
> depending on the application.
>
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:u9AVTpVHFHA.3588@TK2MSFTNGP14.phx.gbl...
> who is the CA of the cert ? do you installed the trusted root and
> intermmediate root cert as well ?
>
> Don't think this apply to w2k3. but you can refer it
> "Certificate Services Did Not Start" Message Appears in the Event Log Even
> Though the Certificate Services Component Starts Successfully
> http://support.microsoft.com/?id=822626
>
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "JohnF" <JohnF@discussions.microsoft.com> wrote in message
> news:93D0BCB4-C7CD-4499-937D-845A2A62CF95@microsoft.com...
> > All,
> >
> > I recently upgraded my Exchange 2000 server/Windows 2000. I installed
> > Exchange 2003 and then upgraded to Windows 2003 server.
> >
> > In doing so, it broke SSL. I'm not sure why or how a mere upgrade did
> > this,
> > but it did - it could be my lack of knowledge with new features in Windows
> > 2003 server. I do remember specifically it wasn't the upgrade to Exchange
> > 2003 that broke it, it was only AFTER I ran the Windows 2003 Server
> > upgrade
> > installation. IIS manager would not let me start the "default web page",
> > which housed our intranet, because it could not start SSL on port 443.
> > Because we don't use SSL and only use internal webpages, I simply changed
> > the
> > port to 444 in the interim. After applying this change, the IIS service
> > would
> > then start, and it would serve both the Intranet and OWA fine. It has been
> > working fine like this, without SSL on 443, for a couple of months.
> >
> > I have since discovered that some other service (?) might be starting
> > before
> > IIS, and is binding the SSL port (0.0.0.0:443) first. It might be "locking
> > out" IIS from starting properly when you leave SSL on its default port of
> > 443. If you do a netstat, you discover port 443 is listening, which I'm
> > assuming is the problem.
> >
> > My problem is now I want to enable SSL on port 443, and I'm still not sure
> > what's stopping it from doing so. Because I've never needed to use SSL,
> > I've
> > not bothered fixing it, but I need it now. I need to get IIS running the
> > default web page on port 443 and not on my temporary fix of port 444.
> >
> > If you have any ideas or suggestions, or have indeed experienced this
> > problem when upgrading Exchange 2000 - Exchange 2003, I'd love to hear
> > from
> > you. Googling has given me few clues.
> >
> > Thanks.
> >
> > PS running SSL diags reveals the following problem if this helps. (it is a
> > hp server)
> >
> > Verifying server certificate, it might take a while...
> > #WARNING:Error 0x800b0109 : A certificate chain processed, but terminated
> > in
> > a root certificate which is not trusted by the trust provider
> > Server certificate name: 10.1.1.1
> > Server certificate subject: C=US, O=Hewlett-Packard Company, CN=10.1.1.1
> > Server certificate issuer: C=US, O=Hewlett-Packard Company, CN=10.1.1.1
> > Server certificate validity: From 2/16/2004 4:03:45 PM To 2/13/2014
> > 4:03:45 PM
> >
> >
> >
>
>
>
>

Relevant Pages

  • Re: Switching from http to https
    ... the default website with SSL not enabled (using port 443) in the IIS. ... a certificate to the program. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Win2003 Upgrade Broke SSL?
    ... I installed> Exchange 2003 and then upgraded to Windows 2003 server. ... IIS manager would not let me start the "default web page",> which housed our intranet, because it could not start SSL on port 443. ...
    (microsoft.public.inetserver.iis)
  • Re: Win2003 Upgrade Broke SSL?
    ... there WAS a single process using port 443. ... management software was starting before the IIS would start, ... > The reason I say that the upgrade did not break SSL is because IIS has no ... > anything to do with IIS nor general upgrading process of the OS, ...
    (microsoft.public.inetserver.iis)
  • RE: Multiple sites using SSL on same IIS server
    ... and put the SSL port back on 443. ... IIS only supports one certificate per IP. ... when we browse to the second site (port ...
    (microsoft.public.inetserver.iis.security)
  • Re: Win2003 Upgrade Broke SSL?
    ... The reason I say that the upgrade did not break SSL is because IIS has no ... problems relating to port 443 being occupied suggests that you did something ...
    (microsoft.public.inetserver.iis)