We're trying to enable Secure Sockets Layer (SSL) on our site. We've installed a certificate but we can't create a secure (i.e., https://) connection. The site works fine with http, but when we use HTTP Secure (HTTPS), the Web browser waits for a long time, then times out and says it can't reach the server.
A: Troubleshooting SSL connection problems can be tedious, but here are a few common causes that you should look for:
- Port 443 isn't configured for the SSL connection—Open the Web site properties and ensure that the number 443 is listed in the SSL Port box. A bug in IIS can cause this number to not appear in the SSL Port box.
- The IP address listed in IIS isn't assigned to a NIC—Because you can type in any IP address in the IIS UI, the IP address listing can get out of sync with the IP addresses on the NIC. From a command prompt, run
netstat -anand make sure an IP address is listening on port 443 (the output should list 0.0.0.0.:443 or the IP address you defined for that site). For more information, see the Microsoft article "HOWTO: Determine If SSL Connectivity Is Not Working on the Web Server or on an Intermediate Device".
- The default Web site is using the IP address and port 443 that you are trying to use on your Web site—Port 443 might still be bound to the default site when you try to use it on another Web site, even if you remove the certificate from the default Web site. For more information, see the Microsoft articles "Page Cannot Be Displayed When You Connect Through SSL" and the Microsoft article "IIS Binds To All Available IP Addresses When It Starts".
- Another product or service is using port 443, making that port unavailable to IIS—You can use freeware products such as SmartLine's Active Ports or Sysinterals' TCPView to show which processes are using which ports on your server.
- IP Security (IPSec) is blocking port 443—If you use IPSec rules locally on the server, IPSec might block port 443. To check this setting, open the Local Security Settings console in Administrative Tools and review the IPSec rules to determine whether a policy in-force could be the problem.
- A firewall or router is blocking port 443—Try creating an SSL session on the IIS server. If you can successfully establish this session, you probably have a firewall or router that's blocking port 443 on the network or a proxy server that isn't forwarding correctly.
- The Web site uses host headers—Remember that you can't use host headers with an SSL site. If you can use the IP address, but not the host name, to create an SSL connection to the Web site, you're probably using host headers on the Web site. For more information, see the Microsoft article "HTTP 1.1 Host Headers Are Not Supported When You Use SSL".
- The certificate isn't the proper kind of certificate—Double-click the certificate file you installed on the Web site, and make sure it says Ensures the identity of a remote computer or Server Authentication under This certificate is intended to. For more information, see the Microsoft article "Error Message: The Page Cannot Be Displayed … Cannot Find Server or DNS Error".