Re: Win2003 Upgrade Broke SSL?
From: JohnF (JohnF_at_discussions.microsoft.com)
Date: 03/03/05
- Next message: Charles Smith: "Re: Is it possible to customize SMTP to not send email address without"
- Previous message: Charles Smith: "Re: Disable cache for ASP>NET at global level in IIS"
- In reply to: David Wang [Msft]: "Re: Win2003 Upgrade Broke SSL?"
- Next in thread: Kristofer Gafvert: "Re: Win2003 Upgrade Broke SSL?"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 2 Mar 2005 17:57:02 -0800
You, sir, are a champion. I did the new netstat -ano command and discovered
there WAS a single process using port 443. Using the PID and task manager I
discovered the program was the default HP battery managament software for the
HP UPS.
I stopped this program, and then changed the IIS SSL port back to 443, and
it was ABLE TO START! So it appears, for some reason, that the HP UPS
management software was starting before the IIS would start, and stopping it
from starting. By forcing the closure of this program, IIS was able to start
on 443. This software ships with every single HP UPS sold, so it must be
fairly common...
Now I just need to work out why this program was using port 443 (I suspect
it was because the management of the UPS is all done in a secure web
management console), and work out how to change it to some other port.
Thanks a great deal!
"David Wang [Msft]" wrote:
> Sorry, I meant to say that:
> netstat -ano
>
> Regarding Windows Update, you want to make sure that your machine's Regional
> settings is correct. You may have the right time numerically but for the
> wrong time-zone, which will cause your overall "universal" time to be
> incorrect. That is, suppose it is currently 4pm Eastern US timezone and my
> computer is in the Eastern US timezone, set to 4pm but for the Western US
> timezone. The time numerically is correct, but the timezone is incorrect and
> causes my overall "universal" time to be "1pm", which is incorrect.
>
> The reason I say that the upgrade did not break SSL is because IIS has no
> dependency on having a website with SSL enabled. The fact that you had
> problems relating to port 443 being occupied suggests that you did something
> that both forced IIS to start a website with SSL on port 443 *and* some
> other program has already claimed port 443. Neither of those things have
> anything to do with IIS nor general upgrading process of the OS, so I
> believe they are external.
>
> Usually, when IIS does not start, the NT event log would have entries
> regarding the reason(s). That is standard operations.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "JohnF" <JohnF@discussions.microsoft.com> wrote in message
> news:13C5284B-C2F6-42FC-9E9C-548547EB84A7@microsoft.com...
> Thanks for your help...
>
> netstat -o is not showing anything on 443, which is a little strange. I've
> done a screen dump and there is no reference to 443 at all as I scroll
> through the dump.
>
> I've just noticed windows update won't work either (unrelated but I wonder
> if it has something to do with it...). Windows update is telling me that my
> clock is not the correct time, which it is. It won't let me update the
> hotfixes.
>
> Could this be at all related?
>
> I am a little confused at the reply that Upgrading to Win2003 did not break
> it. I had upgraded a Win2k server running Exch2000 to Exchange 2003 as per
> the MSKB. I was well aware that Exchange had to be upgraded first. When I
> tested OWA2003 from a client, it worked fine. This means after Exchange 2003
> was upgraded "over the top" IIS was still working. As soon as I upgraded the
> OS (from Win2000 to Win2003 server) the IIS service would no longer start,
> and this is when I realised it was because port 443 wouldn't start, so IIS
> just came up with an error about not starting. I only fumbled on to the
> revelation that port 443 was blocking it, because the error message about
> "IIS not starting" was not helpful. As soon as I realised 443 was stopping
> IIS starting, I simply changed the SSL-setting in IIS properties to 444 and
> it started fine. Now my problem is I need to get SSL working back on 443 as
> it should (and was prior to the 2003 upgrade).
>
> I'm confused because prior to upgrading to Win2003, IIS was fine. I had no
> errors in starting it, and it served OWA2000 and then OWA2003 requests
> perfectly. It was only after installing Win2003 server over the top that IIS
> "broke" for want of a better explanation.
>
> Any help greatly appreciated.
>
> John.
>
> "David Wang [Msft]" wrote:
>
> > netstat -o
> >
> > should show the PID of the process that is listening on port 443, so check
> > to see if there is a conflict. svchost.exe should be the owner if IIS has
> > it. If it is not IIS, then you need to take care of server configuration
> > such that this is no longer a problem
> >
> >
> > In general, I doubt that "Win2003 upgrade broke SSL" since as you noted,
> SSL
> > wasn't even working before the upgrade, so I doubt there was anything to
> > break.
> >
> > What I suspect is that you have some other program that is using port 443,
> > and on upgrade, when Exchange tried to claim port 443 for SSL, it was
> unable
> > to (since the port was already claimed by another application), and so IIS
> > fails to start up that website (failure to claim binding for a website is
> > sufficient reason to fail the website). I am not certain that you will
> ever
> > find posts with people talking about this sort of "problem" since it
> amounts
> > to user error. If you configure multiple programs to use the same IP:Port
> > binding, all but the first will fail, and the pattern will be different,
> > depending on the application.
> >
> >
> > --
> > //David
> > IIS
> > http://blogs.msdn.com/David.Wang
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> > news:u9AVTpVHFHA.3588@TK2MSFTNGP14.phx.gbl...
> > who is the CA of the cert ? do you installed the trusted root and
> > intermmediate root cert as well ?
> >
> > Don't think this apply to w2k3. but you can refer it
> > "Certificate Services Did Not Start" Message Appears in the Event Log Even
> > Though the Certificate Services Component Starts Successfully
> > http://support.microsoft.com/?id=822626
> >
> >
> > --
> > Regards,
> > Bernard Cheah
> > http://www.tryiis.com/
> > http://support.microsoft.com/
> > http://www.msmvps.com/bernard/
> >
> >
> >
> > "JohnF" <JohnF@discussions.microsoft.com> wrote in message
> > news:93D0BCB4-C7CD-4499-937D-845A2A62CF95@microsoft.com...
> > > All,
> > >
> > > I recently upgraded my Exchange 2000 server/Windows 2000. I installed
> > > Exchange 2003 and then upgraded to Windows 2003 server.
> > >
> > > In doing so, it broke SSL. I'm not sure why or how a mere upgrade did
> > > this,
> > > but it did - it could be my lack of knowledge with new features in
> Windows
> > > 2003 server. I do remember specifically it wasn't the upgrade to
> Exchange
> > > 2003 that broke it, it was only AFTER I ran the Windows 2003 Server
> > > upgrade
> > > installation. IIS manager would not let me start the "default web page",
> > > which housed our intranet, because it could not start SSL on port 443.
> > > Because we don't use SSL and only use internal webpages, I simply
> changed
> > > the
> > > port to 444 in the interim. After applying this change, the IIS service
> > > would
> > > then start, and it would serve both the Intranet and OWA fine. It has
> been
> > > working fine like this, without SSL on 443, for a couple of months.
> > >
> > > I have since discovered that some other service (?) might be starting
> > > before
> > > IIS, and is binding the SSL port (0.0.0.0:443) first. It might be
> "locking
> > > out" IIS from starting properly when you leave SSL on its default port
> of
> > > 443. If you do a netstat, you discover port 443 is listening, which I'm
> > > assuming is the problem.
> > >
> > > My problem is now I want to enable SSL on port 443, and I'm still not
> sure
> > > what's stopping it from doing so. Because I've never needed to use SSL,
> > > I've
> > > not bothered fixing it, but I need it now. I need to get IIS running the
> > > default web page on port 443 and not on my temporary fix of port 444.
> > >
> > > If you have any ideas or suggestions, or have indeed experienced this
> > > problem when upgrading Exchange 2000 - Exchange 2003, I'd love to hear
> > > from
> > > you. Googling has given me few clues.
> > >
> > > Thanks.
> > >
> > > PS running SSL diags reveals the following problem if this helps. (it is
> a
> > > hp server)
> > >
> > > Verifying server certificate, it might take a while...
> > > #WARNING:Error 0x800b0109 : A certificate chain processed, but
> terminated
> > > in
> > > a root certificate which is not trusted by the trust provider
> > > Server certificate name: 10.1.1.1
> > > Server certificate subject: C=US, O=Hewlett-Packard Company, CN=10.1.1.1
> > > Server certificate issuer: C=US, O=Hewlett-Packard Company, CN=10.1.1.1
> > > Server certificate validity: From 2/16/2004 4:03:45 PM To 2/13/2014
> > > 4:03:45 PM
> > >
> > >
> > >
> >
> >
> >
> >
>
>
>
- Next message: Charles Smith: "Re: Is it possible to customize SMTP to not send email address without"
- Previous message: Charles Smith: "Re: Disable cache for ASP>NET at global level in IIS"
- In reply to: David Wang [Msft]: "Re: Win2003 Upgrade Broke SSL?"
- Next in thread: Kristofer Gafvert: "Re: Win2003 Upgrade Broke SSL?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
