IIS 7 and Above
SChannel Error after Replacing SSL Cert
Last post Sep 17, 2018 02:02 AM by henryc___
Sep 10, 2018 06:00 AM|henryc___|LINK
Hoping someone here can help.
Running Windows 2008R2, IIS 7.0, Site running in .net v4.0
Today I replaced the SSL certificate for an internal IIS site, previously the certificate was self signed, out of date and using SHA1. We have now gone with an external trust certificate using SHA2.
Immediately after updating the binding to use the new certificate Event ID's 36888 started being generated, additionally whenever any user hits the site it goes straight to Reset Connection. Doesn't matter if trying to access the site locally on the server
The following fatal alert was generated: 80. The internal error state is 1250.
The following fatal alert was generated: 80. The internal error state is 1051.
As part of an earlier separate Security Remediation we disabled the following Ciphers:
The following Protocols were also disabled however the registry keys for these have been removed, effectively re-enabling the Protocol
If I change the certificate to use the old SHA1 certificate the site comes back up.
Any help greatly appreciated.
Sep 11, 2018 02:00 AM|deepakpanchal10|LINK
It is possible that you had missed any step or did not done any step properly can cause this issue or it is possible that there is some issue with the certificate.
You can try to refer link below and try to recheck your taken steps.
check whether you took all the steps correctly or not.
How to create SHA2 CSR on windows server
If all the steps that you had taken was correct then it can be an issue with the certificate.
Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites;
therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from the Internet.
Sep 12, 2018 01:58 AM|henryc___|LINK
Thanks for the reply.
We purchased an SSL certificate from Comodo and then imported it to the Personal Store in MMC.
I don't think a CSR is relevant here at all as we're not creating our own certificate.
Sep 14, 2018 05:26 AM|Terry Peng|LINK
Some developers who runs into the similar issue reports that the issue is caused by certificate corruption.
I would suggest you use another SSL certificate using SHA2 to reproduce the issue.
Besides, could you use the certificate on a new site for testing?
Sep 17, 2018 02:02 AM|henryc___|LINK
Thanks for the reply, I just tried issuing a self signed SHA2 certificate and am experiencing the same problem. Straight to Connection Reset and the same Schannel logs until I roll back to the expired SHA1 certificate.
Also tried binding the certificate to another IIS site which works leading me to believe there's something funky going on with the site code relying on SHA1 or something similar.