After installing a new SSL certificate for our domain on IIS7 (Windows Server 2008), we encountered a connection reset error when accessing the site via HTTPS. The issue manifests in both Firefox and Chrome, affecting both local and remote clients. The HTTP version of the site remains accessible.
- The site is inaccessible via HTTPS using either domain name or IP address
- Another SSL-secured site on the same server (bound to a different IP) works normally
- HTTP access to the problematic site remains functional
This scenario typically indicates an SSL binding misconfiguration in IIS. The most common causes include:
netsh http show sslcert
This command helps verify if the certificate is properly bound to the correct IP:port combination. A common mistake is having multiple certificates bound to the same IP address with the default port 443.
For IIS7, we need to check both the IIS Manager and the underlying Windows HTTP configuration:
# PowerShell command to list all SSL bindings
Get-ChildItem IIS:\SslBindings | Format-Table -AutoSize
The mention of another working SSL site on a different IP suggests we might be dealing with one of these scenarios:
- Missing SNI (Server Name Indication) configuration
- Port conflict on the same IP
- Certificate binding to "All Unassigned" IP addresses
Here's how to properly configure the SSL binding in IIS7:
# Using appcmd to set up SSL binding
%windir%\system32\inetsrv\appcmd set site /site.name:"YourSiteName" /+bindings.[protocol='https',bindingInformation='*:443:yourdomain.com']
For Windows Server 2008, we also need to ensure SNI is properly configured if using multiple SSL sites on the same IP:
# Setting up SNI binding
netsh http add sslcert ipport=0.0.0.0:443 certhash=YourCertHash appid={YourAppGUID} certstorename=MY verifyclientcertrevocation=disable verifyrevocation=disable
Don't forget to verify that port 443 is open in Windows Firewall:
netsh advfirewall firewall add rule name="HTTPS" dir=in action=allow protocol=TCP localport=443
After making these changes:
- Restart IIS (
iisreset) - Test with OpenSSL:
openssl s_client -connect yourdomain.com:443 - Check the certificate chain using online SSL checkers
When implementing SSL certificates on IIS7/Windows Server 2008, the sudden appearance of connection reset errors (especially when the HTTP version remains accessible) typically points to one of these core issues:
// Common HTTP.sys error patterns seen in Event Viewer:
Event ID 36874: "A fatal alert was received from the remote endpoint."
Event ID 36888: "The TLS protocol defined fatal error code encountered."
First, verify that your website is properly bound to port 443 in IIS:
netsh http show sslcert
If you don't see your IP:443 combination listed, you'll need to add the binding manually:
netsh http add sslcert ipport=0.0.0.0:443
certhash=YOUR_CERT_THUMBPRINT
appid={YOUR_APP_GUID}
A common culprit is intermediate certificate misconfiguration. Use OpenSSL to test:
openssl s_client -connect yourdomain.com:443 -showcerts
The output should show a complete chain from your certificate to a trusted root CA. Missing intermediates will cause silent failures.
For IIS7 specifically, these settings often need adjustment:
- Ensure "Require SSL" is not checked (initially) in IIS Directory Security
- Verify the certificate is assigned to the correct website in IIS Manager
- Check SSL Settings at both server and site level don't conflict
Windows Firewall might be blocking the handshake:
netsh advfirewall firewall add rule
name="HTTPS Inbound"
dir=in action=allow protocol=TCP localport=443
If you're behind NAT, ensure port forwarding preserves the original client IP (SNAT can break SSL).
When all else fails, these tools provide visibility:
// Capture handshake attempts:
Wireshark filter: tcp.port == 443 && ssl
// Test cipher suite compatibility:
nmap --script ssl-enum-ciphers -p 443 yourdomain.com
// Verify protocol support:
TestSSLServer.jar yourdomain.com 443
Remember that IIS7 has limited TLS 1.2 support out of the box - you may need to install KB4019276 for modern browser compatibility.