Cannot Bind Certificate to domain - IIS 10

alikheri · September 7, 2023, 12:17pm

Facing this error in IIS 10 Windows Server 2016,
on Selecting the the SSL certificate generated by CertifytheWeb,
The follwoing Error shows up.

“A specified logon session does not exist. It may already have been terminated. (Exception for HRESULT: 0x80070520)”

2023-09-05 17:35:01.424 +00:00 [INF] ---- Beginning Request [domain.info] ----
2023-09-05 17:35:01.424 +00:00 [INF] Certify/6.0.11.0 (Windows; Microsoft Windows NT 10.0.14393.0)
2023-09-05 17:35:01.425 +00:00 [INF] Beginning certificate request process: domain.info using ACME provider Anvil
2023-09-05 17:35:01.425 +00:00 [INF] The selected Certificate Authority is: Let’s Encrypt
2023-09-05 17:35:01.425 +00:00 [INF] Requested identifiers to include on certificate: domain.info [dns];*.domain.info [dns]
2023-09-05 17:35:01.885 +00:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/69107042/206396710956
2023-09-05 17:35:01.981 +00:00 [INF] Order is ready and valid. Auth challenges will not be re-attempted.
2023-09-05 17:35:01.981 +00:00 [INF] [Progress] Order authorizations already completed.
2023-09-05 17:35:01.981 +00:00 [INF] Resuming certificate request using CA: Let’s Encrypt
2023-09-05 17:35:01.981 +00:00 [INF] [Progress] Requesting certificate via Certificate Authority
2023-09-05 17:35:03.459 +00:00 [INF] [Progress] Completed certificate request.
2023-09-05 17:35:03.682 +00:00 [INF] [Progress] Performing automated certificate binding
2023-09-05 17:36:36.073 +00:00 [ERR] System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Certify.Management.Servers.ServerProviderIIS.d__20.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 372
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.Servers.IISBindingDeploymentTarget.d__3.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 1039
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Core.Management.BindingDeploymentManager.d__9.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 478
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Certify.Core.Management.BindingDeploymentManager.d__7.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 292
System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Certify.Management.Servers.ServerProviderIIS.d__20.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 372
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.Servers.IISBindingDeploymentTarget.d__3.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 1039
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Core.Management.BindingDeploymentManager.d__9.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 478
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Certify.Core.Management.BindingDeploymentManager.d__7.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 292
System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Certify.Management.Servers.ServerProviderIIS.d__20.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 372
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.Servers.IISBindingDeploymentTarget.d__3.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 1039
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Core.Management.BindingDeploymentManager.d__9.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 478
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Certify.Core.Management.BindingDeploymentManager.d__7.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 292
2023-09-06 04:13:54.067 +00:00 [INF] [Progress] Performing automated certificate binding
2023-09-06 04:15:27.475 +00:00 [ERR] An error occurred installing the certificate. Certificate file may not be valid: C:\ProgramData\certify\assets\domain.info\20231204_9544bb1.pfx

Please help urgently.
Thank You

alikheri · September 7, 2023, 1:17pm

Generated a new SSL certificate from Zerossl website and that has been accepted by IIS.

4 domains use the Auto certificates through CertifytheWeb, unfortunately IIS is not accepting these Valid certificates on any domain. The Certificates are present in the Web Hosting Store and can be viewed too, yet still it gives this binding error.

webprofusion · September 7, 2023, 1:55pm

This looks like a problem writing the certificate to the Local Machine certificate store. Is the Certify background service running as the default Local System user? You may need to investigate whether there have been previous custom changes to the Private Key storage permissions.

Try restarting the machine to see if the problem goes away, use Certificate > Advanced > Actions > Re-Apply certificate bindings to re-attempt applying the PFX to the certificate store and IIS bindings.

Is there a reason you have Web Hosting store selected? This is not the default, as an alternative you could try the My (personal) store as this is the normal default.

alikheri · September 8, 2023, 1:18pm

Thank You for your prompt reply,

Changed the Certificate store to Personal, and used the re Attempt,
yet

2023-09-07 14:55:16.478 +00:00 [INF] [Progress] Performing automated certificate binding
2023-09-07 14:56:19.149 +00:00 [ERR] An error occurred installing the certificate. Certificate file may not be valid: C:\ProgramData\certify\assets\domain.info\20231205_1c7c6dc4.pfx

Also on exporting the Saved certificate from the Certificate store gives an option to only export it without the Private key.

Used certbot to generate the certificate manually, and then used openssl

type fullchain.pem privkey.pem > bundle.pem

openssl pkcs12 -export -out “certificate_combined.pfx” -inkey “privkey.pem” -in “cert.pem” -certfile bundle.pem

yet this file also did not work and kept giving wrong password error.

Lastly used SSL Converter - Convert SSL Certificates to different formats
to convert the file to pfx and this has worked.

Please advise.

Thank You

webprofusion · September 9, 2023, 2:58am

Can you confirm that the machine is up to date with Windows Updates? There is something unusual in your configuration and I can’t determine what. Was the machine a fresh install of Server 2016 or was it an in-place upgrade for an older OS?

When the certificate is ordered from the CA we then assemble the PFX and write it to disk under the C:\ProgramData\certify\assets<domain> path - we then try to store that PFX in the local machine certificate store (My or Web Hosting depending on your preference), which seems to have worked, then we try to update the IIS binding (which is the step that fails). The error is consistent with the Private Key being inaccessible after it was stored.

Could you try:

reinstalling the app by downloading again and installing. The line number for your error doesn’t match our code which seems like some files might not be properly updated.
Don’t change the user the Certify background service runs as, that would break all the permissions.
try “Request Certificate” again. I’m wondering if the current PFX file has some other private key problem.