When I go directly form IE on the same PC that IIS 7 is running to the end server (ie I bypass AAR and URL Rewite) It works fine, so I am assuming (probably a big mistake) that my certificates are ok.
You need to install the actual certificate that is in use on the content node on the ARR node as well. Then, you need to create a binding in IIS on the IP for that site and select the site's certificate on the ARR node. The backend request will use whatever
protocol you have specified in the URL rewrite rule (typically just HTTP):
I need to do HTTPS to the back end server. It seems the problem is happening when the ARR is establishing an SSL connection to the backend server. In this case the ARR is the client and the back end server is the server in the SSL connection.
If the original request from the end-user needs to be SSL, then the certificate needs to be on the ARR server as well. However, from the sounds of it, the issue does seem to be the response from the content node to ARR. What happens if you pull up the URL in
question in a browser on the ARR node?
That's why I asked what happens if you load the page from the ARR nodes to the back end server in a browser (ie. login to the ARR node via RDP and open Internet Explorer, then load the backend page). That should, in effect, be replicating what ARR is doing.
Error 0x80072f8f and your network trace clearly show a certificate chain problem, so I'm not sure why it's working in the browsers. If you view the certificate and look at the actual certificate chain, are the root and intermediate CA's in your certificate
store on the backend and ARR nodes?
xxyyzz
8 Posts
HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 24, 2011 09:43 PM|LINK
I am using AAR and URL Rewite. I got HTTP to work now I am trying HTTPS and I get the above error.
The Detailed Error Information is
I ran Microsoft Network Monitor and saw the following error in the trace
MicrosoftWindowsWebIO: 0x00000000014F0650: SSL Cert Validation Failure - Unable to Get Cert Chain (Error: Unknown value: 1) Context Handle(3533168 (0x35E970):21343648 (0x145ADA0)) (IgnoredServerCertErrors 4224 (0x1080)) (CertErrors 256 (0x100))
When I go directly form IE on the same PC that IIS 7 is running to the end server (ie I bypass AAR and URL Rewite) It works fine, so I am assuming (probably a big mistake) that my certificates are ok.
Any Help/Ideas?
owjeff
680 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 26, 2011 05:35 PM|LINK
Do you have the certificate installed on the ARR server? Did you enable SSL offload?
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
xxyyzz
8 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 27, 2011 06:41 PM|LINK
I have a CA on the ARR. My understanding is that the certificate is on the server and it is sent to the ARR when a SSL connection is established.
Yes SSL offload is enabled
owjeff
680 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 27, 2011 06:58 PM|LINK
You need to install the actual certificate that is in use on the content node on the ARR node as well. Then, you need to create a binding in IIS on the IP for that site and select the site's certificate on the ARR node. The backend request will use whatever protocol you have specified in the URL rewrite rule (typically just HTTP):
http://blogs.iis.net/wonyoo/archive/2008/07/10/ssl-off-loading-in-application-request-routing.aspx
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
xxyyzz
8 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 27, 2011 09:14 PM|LINK
I need to do HTTPS to the back end server. It seems the problem is happening when the ARR is establishing an SSL connection to the backend server. In this case the ARR is the client and the back end server is the server in the SSL connection.
So the certificate needs to be on the server???
owjeff
680 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 28, 2011 01:14 AM|LINK
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
xxyyzz
8 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 28, 2011 12:55 PM|LINK
If I go directly from my browser to the back end server using HTTPS everything works fine.
Its when I introduce ARR as a reverse proxy that i have a problem
I believe the order of events is as follows.
Browser makes HTTPS request to ARR.
ARR send certificate to Browser.
Browser verifies certificate using its CA.
(up to this point everything is fine)
ARR makes HTTPS request to back end server
Back end Server sends certificate to ARR
*** Here is the problem
ARR should verify certificate using its CA (this is where the error occurs)
owjeff
680 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 28, 2011 01:27 PM|LINK
That's why I asked what happens if you load the page from the ARR nodes to the back end server in a browser (ie. login to the ARR node via RDP and open Internet Explorer, then load the backend page). That should, in effect, be replicating what ARR is doing.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
xxyyzz
8 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 28, 2011 01:44 PM|LINK
When I use IE directly to the back end server - it works fine.
owjeff
680 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 28, 2011 02:12 PM|LINK
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."