SSL – Old Certificate Still Showing After Installing New

iisiis-7sslssl-certificatewindows-server-2012

We have an IIS ARR server which load balances out to two different individual IIS servers.

The servers in question are our internal Staging servers. Three months ago I created a free Let's Encrypt SSL Cert to use on these servers. As is the case with Let's Encrypt, it expired after 3 months. So today I got around to creating a new cert, and I replaced the old certs on the ARR server and both load balanced servers.

After doing that, and then going back to the site in any browser (including incognito mode), it's still showing the old invalid cert. I even went to the site on laptops that have never been to this site before just to see if the old cert was cached in my browser. Even those laptops loaded the site with the Not Secure warning.

These are the steps I've taken:

On the ARR server:

In IIS, on the server, open "Server Certificates"
Remove the old cert
Import the new cert
Verify the new expiry date is now 3 months out
IISReset

On the Two Load Balanced Servers:

In IIS, on the server, open "Server Certificates"
Remove the old cert
Import the new cert
Verify the new expiry date is now 3 months out
On the site, go into Bindings
Drill into SSL and verify that the SSL cert is the new one
IISReset

Yet despite all traces of the old cert being removed, including deleting the actual file, no matter what I do, it loads in every browser (ie, chrome, ff) on every computer showing the old cert still.

I don't know what else to do.

If this helps:

(I should add… there is a LOT of this exact same question on many different forums. I've read dozens of them. None of them have to lead me to a solution.)

Best Answer

If your load balancer is taking the SSL offload then it will be the device that terminates the SSL connection and performs the handshake. You'll need to make sure the load balancer has the correct certificate.

Related Solutions

Ssl – IIS 7 Still Serving old SSL Certificate

First a couple points that are probably the same for you

I was trying to update a certificate because it has expired.
I have multiple domains bound to the same IP. They happen to be a SAN certificate but that's probably irrelevant.
I was trying to use the centralized certificate store. Again I think this is irrelevant to most of my answer.
I had already attempted to update the certificate but it wasn't showing the new date.
You're probably in a panic right now if your old certificate already expired. Take a deep breath...

First I'd recommend strongly going to https://www.digicert.com/help/ and downloading their DigiCert tool. You can also use it online.

Enter in your website https://example.com and it will show you the expiration date and thumbprint (what MS calls the certificate hash). It does a realtime lookup so you don't have to worry whether or not your browser (or intermediate server) is caching something.

If you're using the centralized certificate store you'll want to be 100% sure the .pfx file is the latest version so go to your store directory and run this command:

C:\WEBSITES\SSL> certutil -dump www.example.com.pfx

This will show you the expiration date and hash/thumbprint. Obviously if this expiration date is wrong you probaly just exported the wrong certifcate to the filesystem so go and fix that first.

If you are using the CCS then assuming this certutil command gives you the expected expiration date (of your updated certificate) you can proceed.

Run the command:

netsh http show sslcert > c:\temp\certlog.txt
notepad c:\temp\certlog.txt

You likely have a lot of stuff in here so it's easier to open it up in a text editor.

You'll want to search this file for the WRONG hash that you got from digicert.com (or the thumbprint you got fromChrome).

For me this yielded the following. You'll see it is bound to an IP and not my expected domain name. This is the problem. It seems that this (for whatever reason I'm not sure) takes precedence over the binding set in IIS that I just updated for example.com.

IP:port                      : 10.0.0.1:443
Certificate Hash             : d4a17e3b57e48c1166f18394a819edf770459ac8
Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name       : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled

I don't even know where this binding came from - I don't even have any SSL bindings on my default site but this server is a few years old and I think something just got corrupted and stuck.

So you'll want to delete it.

To be on the safe side you'll want to run the following comand first to be sure you're only deleting this one item:

C:\Windows\system32>netsh http show sslcert ipport=10.0.0.1:443

SSL Certificate bindings:
-------------------------

IP:port                      : 10.0.0.1:443
Certificate Hash             : d4a17e3b57e48c1166f18394a819edf770459ac8
Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name       : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled

Now we've verified this is the 'bad' thumbprint, and expected single record we can delete it with this command:

C:\Windows\system32>netsh http delete sslcert ipport=10.0.0.1:443

SSL Certificate successfully deleted

Hopefully if you now go back to Digicert and re-run the command it will give you the expected certificate thumbprint. You should check all SAN names if you have any just to be sure.

Probably want to IISRESET here to be sure no surprises later.

Final note: If you're using the centralized certificate store and you're seeing erratic behavior trying to even determine if it is picking up your certificate from there or not don't worry - it's not your fault. It seems to sometimes pick up new files immediately, but cache old ones. Opening and resaving the SSL binding after making any kind of change seems to reset it but not 100% of the time.

Good luck :-)

SSL – Old SSL Certificate Cached on Internet Explorer

I'd wager that it's not caching, it's Server Name Indication.

Systems supporting SNI are getting the cert from the VirtualHost, while systems that do not (likely including that SSL Checker) are getting the first certificate to load on that port - which is not this one.

Scour your config for something else loading the old certificate (it's loading before the VirtualHost that you have there). Oh, and do a full restart on the apache process (not a reload) after changing it.

Best Answer

Related Solutions

Ssl – IIS 7 Still Serving old SSL Certificate

SSL – Old SSL Certificate Cached on Internet Explorer

Related Topic