10 Replies Latest reply on Dec 12, 2009 6:14 PM by jcrowland Branched to a new discussion.

    Windows 2008 SSL

    phyler Novice

       

      I have an interesting issue.  I have a wildcard SSL cert that was purchased from Network Solutions.  It is *.domain.com.  If I bind SSL to a website inside IIS 7 on a Windows 2008 box running on VMWare ESX 3.5 64607 the machine breaks.  The VMWare tools no longer start up and the network looks disconnected yet if I go Edit the settings it shows the network is connected.  I can't ping the machine at all.  If I roll back to the snapshot I took right before I setup the SSL, everything works great. 

       

       

      I have this same setup working on both physical boxes and some MS VM's, it is just VMWare that has this issue.  Anyone else ever see this?

       

       

      Thanks!

       

      Adam

       

       

       

        • 1. Re: Windows 2008 SSL
          kjb007 Guru

          If you remove the cert, does the problem go away?  The ESX host really does not look at specific applications running on the vm, per se, so I couldn't imagine it would have an issue with you loading a certificate on an IIS 7 server running on Windows 2008.  I'll have to check this out myself to see if it makes a difference.  If you look in your eventviewer, do you see any other errors? 

           

          There are other users experiencing issues with their network card appearing to get disconnected, but it has been due to other issues. 

           

           

          Are you running 32 or 64-bit 2008?  Are you using the flexible enhanced driver, or the e1000?

           

           

          -KjB

          • 2. Re: Windows 2008 SSL
            phyler Novice

             

            Once you add the cert and reboot, network connectivity is lost and the server will no longer start IIS so you can't remove the binding.

             

             

            There are no errors in the event viewer.

             

             

             

            I am running x64 2008 Standard Edition.  I am using the enhanced driver. 

             

             

             

            The strange part is that the VMWare Tools fail to start as do several other services.  I can do anything else I want to the box but as soon as I bind the cert to a website and reboot, everything goes nutty and I have to rollback to a snapshot.  Everything works fine until a reboot too which is weird (i.e. the SSL cert works when you hit https://servername).

             

             

            Any thoughts are appreciated.

             

             

             

             

             

             

             

             

            • 3. Re: Windows 2008 SSL
              kjb007 Guru

               

              Remove the NIC and re-add it.  I seem to remember having to use the regular NIC for 64 bit windows, and not the enhanced.  When the vm comes back up, re-install the vmware tools.

               

               

               

               

               

              -KjB

               

               

              • 4. Re: Windows 2008 SSL
                phyler Novice

                 

                So, I was using the e1000, I switched it to vmxnet just to test.  The machine does the same thing with either network adapter installed.  I'm stumped at this point due to the fact that the machine works fine until I add the SSL cert.

                 

                 

                 

                I have switched it back to the e1000 in the mean time and will keep battling the issue.

                 

                 

                 

                 

                 

                Adam

                 

                 

                • 5. Re: Windows 2008 SSL
                  kjb007 Guru

                   

                  I'd like to see the log, if I could after you bind the cert and the server fails to come up.  Can you post it here?

                   

                   

                   

                   

                   

                  -KjB

                   

                   

                  • 6. Re: Windows 2008 SSL
                    phyler Novice

                     

                    Here is the log:

                     

                     

                    Task Completed : haTask-800-vim.VirtualMachine.powerOn-134492

                    2008-05-03 07:50:09.074 'vm:/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms.vmx' 115338160 info Ticket issued for mks connections to user: vpxuser

                    Failed to validate VM IP address:

                    Hw info file: /etc/vmware/hostd/hwInfo.xml

                    Config target info loaded

                    Failed to validate VM IP address:

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-000005-delta.vmdk" : open successful (17) size = 644245094                          40, hd = 0. Type 8

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-000005-delta.vmdk" : closed.

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-000005-delta.vmdk" : open successful (19) size = 644245094                          40, hd = 0. Type 8

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-000004-delta.vmdk" : open successful (23) size = 644245094                          40, hd = 0. Type 8

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-000002-delta.vmdk" : open successful (23) size = 644245094                          40, hd = 0. Type 8

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-000003-delta.vmdk" : open successful (23) size = 644245094                          40, hd = 0. Type 8

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-flat.vmdk" : open successful (23) size = 64424509440, hd =                           0. Type 3

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-000005-delta.vmdk" : closed.

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-000004-delta.vmdk" : closed.

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-000002-delta.vmdk" : closed.

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-000003-delta.vmdk" : closed.

                    DISKLIB-VMFS : "/vmfs/volumes/685809e7-005a8d84/cpb-bdr-ms/cpb-bdr-ms-flat.vmdk" : closed.

                    Failed to validate VM IP address: unknown

                    Hw info file: /etc/vmware/hostd/hwInfo.xml

                    Config target info loaded

                    Failed to validate VM IP address: unknown

                     

                     

                     

                     

                     

                    This is all I get, you can see on the fourth to last line what happened as soon as I bind the SSL cert.  The last three lines are the reboot after I bind the SSL cert.

                     

                     

                     

                    Thanks,

                     

                     

                     

                    Adam

                     

                     

                     

                     

                     

                    • 7. Re: Windows 2008 SSL
                      jwahlen Lurker

                       

                      Did anyone figure this out.  I have the same thing on 2 different ESX servers with 2 different Virtual servers.  Anytime I have IIS 7 and a wildcard SSL it will run fine until I reboot than VM Tools stops working and Network fails.   I have to remove nic from 2008 and reboot and then resetup the network settings.

                       

                       

                       

                       

                       

                      • 8. Re: Windows 2008 SSL
                        chadjoubert Lurker

                         

                        The issue is the Networks Solution certificate not the wildcard.  Because Microsoft does not have the intermediates Certs on the server you need to install them  UTNAddTrustServer_CA.crt, NetworkSolutions_CA.crt The root certificate AddTrustExternalCARoot.crt. 

                         

                         

                        Start -> mmc -> File -> add/remove snapin -> Certificates then select Computer Account, local computer.

                         

                         

                        Right click on Trusted Root Certificates and Import the other certs.  Allow the Wizard to choose the location.

                         

                         

                        • 9. Re: Windows 2008 SSL
                          htoudiee Enthusiast

                           

                          The above solution is correct. In case anyone needs the UTNAddTrustServerCA Intermediate Cert, you can download it here.

                           

                           

                          https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=8&nav=0,1,6

                           

                           

                          *You need to import this cert info the Intermediate store.

                           

                           

                          • 10. Re: Windows 2008 SSL
                            jcrowland Novice

                            I have encountered this exact issue and initially thought this was related to ESX and network drivers due to the extreme flakiness of the problem even though it didn't make logical sense.  Same bit, stuck on "applying computer settings", not able to do much useful with the network on or in safe mode, but could ping.  Most services just won't start (Teminal Services, IIS, etc...)

                             

                            I run various 2008 IIS servers and unfortunately reproduced this exact issue on multiple servers, 32-bit, 64-bit, different SP's.  I have so many SSL certificates from various vendors that hunting down the offender was difficult because there is no logging whatsoever in IIS7 or Windows 2008 to indicate what the problem is.  It boggled my mind that one missing Intermediary cert could cause such systemic havoc without any warning... I felt like I was working with NT 3.51.

                             

                            This Microsoft KB article decribes this problem without focusing on the SSL side of it.  Sure enough, upon making the registry changes outlined, everything works upon reboot... seems to involved the SCM database and references SSL keys:

                             

                            http://support.microsoft.com/default.aspx/kb/2004121

                             

                            Be aware, the version of the MSFT KB posted now has obvious typos for the registry entry to change... misspelling Services and leaving out System. 

                             

                            MSFT's KB authors meant to say:

                             

                            1. Open Registry Editor

                            2. Navigate to HKLM\System\CurrentControlSet\Services\HTTP and create the following Multi-string value: DependOnService

                            3. Double click the new DependOnService value that you created

                            4. Enter CRYPTSVC in the Value Data field and click OK

                            5. After you have made this change, you will need to reboot the server.

                             

                            If I remove the DependOnService=CRYPTSVC, the server images break again upon reboot, if I add it, it works.  If you read the KB article it references SSL keys, doesn't sound like MSFT has a 100% handle on it yet, but this worked for me.

                             

                            Hope this helps someone else out there, I've been wrangling with this issue since Thankgsiving.

                             

                            --John