IIS 7.5, HTTPS Bindings and ERR_CONNECTION_RESET

Having an website with HTTP and HTTPS bindings, running on my local IIS 7.5 server, I encountered this error with Chrome, Error 101 (net::ERR_CONNECTION_RESET) while trying to access it with HTTPS protocol. I checked the IIS and the bindings were fine, both protocols were set and self-signed certificate didn't expire yet.

Since the website it wasn't accessible on the HTTPS protocol and everything seems ok at the IIS level, I suspected there was something which it can be fixed with the netsh command.

The first thing to do was to list the SSL server certificate bindings:

  netsh http show sslcert

As I expected, there was nothing shown. To "add a new SSL server certificate binding and corresponding client certificate policies for an IP address and port" (from help), netsh can be used with some basic parameters: ipport, certhash and appid.

The certhash value can be read either from ISS Manager (Manage server\Server Certificates, select a certificate, click View in the right menu, Details\Thumbprint, copy the value somewhere and replace the blanks between the groups), either using the following command:


certutil -store MY

which outputs:

Serial Number: 59e762ee4c6bda874fed1c915d26e521
Issuer: CN=adi-PC
 NotBefore: 21.07.2011 2:16
 NotAfter: 21.07.2012 3:00
Subject: CN=adi-PC
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): dc ab 84 55 bf 75 5c ad a4 b9 1d a6 64 45 68 b3 11 69 f0 20
  Key Container = ea4cc866-f5b9-4737-a18e-1724e02961ba
  Unique container name: 0e2c5f1fd1fe7a2461b77daf1973b1cb_d924ef92-4440-4132-82f8-cc223fca6bb8
  Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
CertUtil: -store command completed successfully.


The appid is any valid Guid surrounded with {}. I used PowerShell to create a new one, though I could get the "Key Container" value.

The command looks like:

netsh http add sslcert ipport=0.0.0.0:443 certhash=dcab8455bf755cada4b91da6644568
b31169f020 appid={ea4cc866-f5b9-4737-a18e-1724e02961ba}


The output of "netsh http show sslcert" is now:

SSL Certificate bindings:
-------------------------

    IP:port                 : 0.0.0.0:443
    Certificate Hash        : dcab8455bf755cada4b91da6644568b31169f020
    Application ID          : {ea4cc866-f5b9-4737-a18e-1724e02961ba}
    Certificate Store Name  : (null)
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          : (null)
    Ctl Store Name          : (null)
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled


The ERR_CONNECTION_RESET error disappeared :)


Note: I don't do this kind of things day by day, after all, I'm only a developer. This was not a simple thing for me to do, actually it took about two hours of google-ing, this when netsh wasn't a new thing to me, a bit frustrating. But how I can test the 3D Secure integration on an eshop when my SSL is down? Can't! So I needed to have it working.

Comments

  1. Hasan Khan1/03/2013 06:33:00 pm

    Thank you for sharing this

    ReplyDelete
  2. Extra Markots12/17/2013 01:39:00 pm

    Thanks, very useful.

    ReplyDelete
  3. Unknown12/04/2015 07:35:00 pm

    Hi,
    I am facing the same problem. I tried all the above ways, but no luck.
    Basically, I am not able to open up any page hosted on localhost, that is during debugging. Everytime I get the error as 'ERR_CONNECTION_RESET'
    Please do let me know how to treat these kind of IIS Issues.

    ReplyDelete
  4. Unknown9/08/2017 11:13:00 am

    Thanks a lot for such detail Article. My issue is also resolved with the steps provided. Thanks

    ReplyDelete
  5. Fredrik Johansson10/06/2017 11:07:00 am

    Same problem here! Suddenly - just one day after another - without changing anything in the system (which is BTW Windows 10 Pro) - I get a ERR_CONNECTION_RESET when trying to browse my development website. The solution was to set the certificate for the HTTPS binding in IIS. The setting had gone lost somehow between restarts.

    ReplyDelete
  6. Unknown10/31/2018 04:40:00 pm

    This article is very helpful. Thank's a lot!

    ReplyDelete

Post a Comment

Popular posts from this blog

Verify ILogger calls with Moq.ILogger

Moq is by far the most used mocking library for .NET. It provides objects to either mimic real services implementations or to verify if they were called in a certain way by the Service Under Test. Often teams work hard to have meaningful logs in order to help with investigations, to have the possibility to define alarms based on the content of the logs, or even to help with instrumentation. If there is a log entry that resembles as an exception, then a notification might be sent to a Teams/Slack channel, an email, or even to randomly start the alarms on your team's members' cars (joking, don't do that, you know everyone ignores that Slack channel). There are many situations when an investigation ends up with no resolution, and with a promise to the client that the missing logging lines will soon be added. This it translates into development costs, reputation loss, and maybe most importantly having a missed opportunity to learn about the system's behavior in the p
Read more

Table Per Hierarchy Inheritance with Column Discriminator and Associations used in Derived Entity Types

Image
In this article I will show how to model a table per hierarchy, a bit more complex than I found in books or other articles. I'm sure this model is present in real lif,e but I really didn't have the luck to find an example on the web when I needed it most. The complexity of this model is given by the Foreign Keys ( the Associations) which need to be placed in the derived entities types and the fact the discriminator depends on more than one column. The first problem I could fix, but the next one, with the discriminator based on two or three nullable columns I couldn't do it, unless if I use a single discriminator column (ie ItemType or something). The database is very simple. It is designed for an eshop which sells products, services and also has some nice packages, that combines products and services and offers them for good prices compared with if they would be bought alone. The products and services are very different in terms of how data describes them, so the decision
Read more