Using a self signed certificate for ARR/URL Rewrite proof of concept [Answered]RSS

7 replies

Last post Jan 26, 2012 01:14 PM by pirate99

  • Using a self signed certificate for ARR/URL Rewrite proof of concept

    Dec 22, 2011 10:40 AM|Mister C|LINK

    Hi, I've successfully negotiated the set-up of ARR/URL Rewrite in IIS7 with the help of various posts on here - but there's one area which I can't resolve.

    Part of this proof of concept exercise is to see how SSL hangs together without SSL offloading (in our scenario we need to secure traffic between the DMZ and the Application server due to the sensitivity of the data).

    The pattern is a Reverse Proxy design, as follows

    [Client Browser] >>>SSL>>>  [Reverse Proxy Server IIS with ARR/URL Rewrite] >>>SSL>>> [Application Server IIS7]

    For the purposes of the proof of concept, I had generated a self-signed certificate  and imported that into the Reverse Proxy server.

    When I log onto the Reverse Proxy server and pull up the Application Server URL in a browser from that machine, I see the normal warning saying the certificate isn't trusted, I accept this, and then the page displays. 

    However, when I pull up the Reverse Proxy test page (which rewrites to the Application Server URL) then I just get HTTP Error 502.3 - Bad Gateway.

     Failed Request Routing log file info

     ModuleName: ApplicationRequestRouting
     Notification: 128
     HttpStatus: 502
     HttpReason: Bad Gateway
     HttpSubStatus: 3
     ErrorCode: 2147954575
     ConfigExceptionInfo
     Notification: EXECUTE_REQUEST_HANDLER
    ErrorDescription: A security error occurred
     
     
    Would be extremely grateful for any pointers on how to resolve this! Thank you

  • Re: Using a self signed certificate for ARR/URL Rewrite proof of concept

    Dec 22, 2011 11:51 AM|Mister C|LINK

     I think I may have realised what the problem was.... I was generating the cert first on the Application server, then importing this to the Reverse Proxy server.

     I have just tried creating a self-signed certificate on the Reverse Proxy server, and then importing this into the Application Server. This way round, it works. 

  • Re: Using a self signed certificate for ARR/URL Rewrite proof of concept

    Jan 19, 2012 08:35 AM|Adrian B.|LINK

    Thanks for your hints. I also faced the same problems and realized the behavior. I can redo your workaround here but it is of course only working on one load balance server. Since i have 2 load balance server because of a high availabilty scenario only server 1 is working. on server 2 i still get:

                   tokenUserName="NT AUTHORITY\IUSR"
                   authenticationType="anonymous"
                   activityId="{00000000-0000-0000-0700-0080000000FD}"
                   failureReason="STATUS_CODE"
                   statusCode="502.3"

    I will try to find out if IUSR is not able to read self signed trusted certificates. I think there was something similar in another purpose concerning IUSR or ApplicationPool User with reading self signed certificates.

     But really thanks for your hints. Brings me closer to the target.

    Okay, found the solution. After generated the one certificate and imported it to all servers only in main server the cert was in computers trusted store. after addes this cert also to the tursted store at computer level on other servers its all working nicely.
  • Re: Using a self signed certificate for ARR/URL Rewrite proof of concept

    Jan 24, 2012 06:12 PM|pirate99|LINK

    Hi - I am trying to do the same thing, but am still not having any luck.

    I created the self-signed SSL cert on the reverse proxy server, then exported it with its private key to a .pfx file. I then imported that .pfx file onto the app server machine, into Local Computer/Certificates/Trusted Certificates.  I even imported it under Personal/Certificates and granted explicit access to my App Pool domain account.

    Are there any other tips you all can share? Thanks very much!

  • Re: Using a self signed certificate for ARR/URL Rewrite proof of concept

    Jan 25, 2012 09:19 AM|Mister C|LINK

    Here's what I did...

    Reverse Proxy server

    1.    Server root, Click Server Certificates, Select certificate, Export. Save as PFX file.
    2.    Enter Password
    Application server

    1.    Server root, Click Server Certificates, Select certificate, Import PFX file.
    2.    Select Web site, Edit Site / Bindings / Add – select https. Select cert name from SSL Certificate dropdown.
    3.    Web Site / SSL Settings – set to Require SSL, Ignore Client Certificates.
    4.    Import root and intermediate certificates as described in following article (https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1202 )

    HTH...If not, what error do you see?

  • Re: Using a self signed certificate for ARR/URL Rewrite proof of concept

    Jan 25, 2012 11:14 AM|pirate99|LINK

    Thank you very much, Mister C! Your detailed steps worked perfectly for me. Best Regards, Mark
  • Re: Using a self signed certificate for ARR/URL Rewrite proof of concept

    Jan 25, 2012 11:39 AM|Mister C|LINK

    Hi Mark, great news - glad I could help!

    ~ Mr C

  • Re: Using a self signed certificate for ARR/URL Rewrite proof of concept

    Jan 26, 2012 01:14 PM|pirate99|LINK

    One last question (I hope!).

    If I used a "real" SSL certificate instead of a self-signed certificate, would it also need to be installed on both machines?  Or would it be OK to install separate SSL certs on each machine?  I am looking to document these steps for a customer who would be using real certs instead of the self-signed certs we create in our dev environment.

    Many thanks again for any information!

    Mark