Cannot Bind Certificate to domain - IIS 10

Facing this error in IIS 10 Windows Server 2016,
on Selecting the the SSL certificate generated by CertifytheWeb,
The follwoing Error shows up.

“A specified logon session does not exist. It may already have been terminated. (Exception for HRESULT: 0x80070520)”

2023-09-05 17:35:01.424 +00:00 [INF] ---- Beginning Request [domain.info] ----
2023-09-05 17:35:01.424 +00:00 [INF] Certify/6.0.11.0 (Windows; Microsoft Windows NT 10.0.14393.0)
2023-09-05 17:35:01.425 +00:00 [INF] Beginning certificate request process: domain.info using ACME provider Anvil
2023-09-05 17:35:01.425 +00:00 [INF] The selected Certificate Authority is: Let’s Encrypt
2023-09-05 17:35:01.425 +00:00 [INF] Requested identifiers to include on certificate: domain.info [dns];*.domain.info [dns]
2023-09-05 17:35:01.885 +00:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/69107042/206396710956
2023-09-05 17:35:01.981 +00:00 [INF] Order is ready and valid. Auth challenges will not be re-attempted.
2023-09-05 17:35:01.981 +00:00 [INF] [Progress] Order authorizations already completed.
2023-09-05 17:35:01.981 +00:00 [INF] Resuming certificate request using CA: Let’s Encrypt
2023-09-05 17:35:01.981 +00:00 [INF] [Progress] Requesting certificate via Certificate Authority
2023-09-05 17:35:03.459 +00:00 [INF] [Progress] Completed certificate request.
2023-09-05 17:35:03.682 +00:00 [INF] [Progress] Performing automated certificate binding
2023-09-05 17:36:36.073 +00:00 [ERR] System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Certify.Management.Servers.ServerProviderIIS.d__20.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 372
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.Servers.IISBindingDeploymentTarget.d__3.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 1039
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Core.Management.BindingDeploymentManager.d__9.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 478
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Certify.Core.Management.BindingDeploymentManager.d__7.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 292
System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Certify.Management.Servers.ServerProviderIIS.d__20.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 372
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.Servers.IISBindingDeploymentTarget.d__3.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 1039
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Core.Management.BindingDeploymentManager.d__9.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 478
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Certify.Core.Management.BindingDeploymentManager.d__7.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 292
System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Certify.Management.Servers.ServerProviderIIS.d__20.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 372
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.Servers.IISBindingDeploymentTarget.d__3.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 1039
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Core.Management.BindingDeploymentManager.d__9.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 478
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Certify.Core.Management.BindingDeploymentManager.d__7.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 292
2023-09-06 04:13:54.067 +00:00 [INF] [Progress] Performing automated certificate binding
2023-09-06 04:15:27.475 +00:00 [ERR] An error occurred installing the certificate. Certificate file may not be valid: C:\ProgramData\certify\assets\domain.info\20231204_9544bb1.pfx

Please help urgently.
Thank You

Generated a new SSL certificate from Zerossl website and that has been accepted by IIS.

4 domains use the Auto certificates through CertifytheWeb, unfortunately IIS is not accepting these Valid certificates on any domain. The Certificates are present in the Web Hosting Store and can be viewed too, yet still it gives this binding error.

This looks like a problem writing the certificate to the Local Machine certificate store. Is the Certify background service running as the default Local System user? You may need to investigate whether there have been previous custom changes to the Private Key storage permissions.

Try restarting the machine to see if the problem goes away, use Certificate > Advanced > Actions > Re-Apply certificate bindings to re-attempt applying the PFX to the certificate store and IIS bindings.

Is there a reason you have Web Hosting store selected? This is not the default, as an alternative you could try the My (personal) store as this is the normal default.

Thank You for your prompt reply,

Changed the Certificate store to Personal, and used the re Attempt,
yet

2023-09-07 14:55:16.478 +00:00 [INF] [Progress] Performing automated certificate binding
2023-09-07 14:56:19.149 +00:00 [ERR] An error occurred installing the certificate. Certificate file may not be valid: C:\ProgramData\certify\assets\domain.info\20231205_1c7c6dc4.pfx

Also on exporting the Saved certificate from the Certificate store gives an option to only export it without the Private key.

Used certbot to generate the certificate manually, and then used openssl

type fullchain.pem privkey.pem > bundle.pem

openssl pkcs12 -export -out “certificate_combined.pfx” -inkey “privkey.pem” -in “cert.pem” -certfile bundle.pem

yet this file also did not work and kept giving wrong password error.

Lastly used SSL Converter - Convert SSL Certificates to different formats
to convert the file to pfx and this has worked.

Please advise.

Thank You

Can you confirm that the machine is up to date with Windows Updates? There is something unusual in your configuration and I can’t determine what. Was the machine a fresh install of Server 2016 or was it an in-place upgrade for an older OS?

When the certificate is ordered from the CA we then assemble the PFX and write it to disk under the C:\ProgramData\certify\assets<domain> path - we then try to store that PFX in the local machine certificate store (My or Web Hosting depending on your preference), which seems to have worked, then we try to update the IIS binding (which is the step that fails). The error is consistent with the Private Key being inaccessible after it was stored.

Could you try:

  • reinstalling the app by downloading again and installing. The line number for your error doesn’t match our code which seems like some files might not be properly updated.
  • Don’t change the user the Certify background service runs as, that would break all the permissions.
  • try “Request Certificate” again. I’m wondering if the current PFX file has some other private key problem.

Same Problem here.

2023-11-03 14:36:52.132 +01:00 [INF] Order is ready and valid. Auth challenges will not be re-attempted.
2023-11-03 14:36:52.132 +01:00 [INF] [Progress] Order authorizations already completed.
2023-11-03 14:36:52.132 +01:00 [INF] Resuming certificate request using CA: Let’s Encrypt
2023-11-03 14:36:52.132 +01:00 [INF] [Progress] Requesting certificate via Certificate Authority
2023-11-03 14:37:10.696 +01:00 [INF] [Progress] Completed certificate request.
2023-11-03 14:37:10.985 +01:00 [INF] [Progress] Performing automated certificate binding
2023-11-03 14:37:42.488 +01:00 [ERR] System.Runtime.InteropServices.COMException (0x80070520): Eine angegebene Anmeldesitzung ist nicht vorhanden. Sie wurde gegebenenfalls bereits beendet. (Ausnahme von HRESULT: 0x80070520)
bei Certify.Management.Servers.ServerProviderIIS.d__20.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:Zeile 372.
— Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde —
bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
bei Certify.Management.Servers.IISBindingDeploymentTarget.d__3.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:Zeile 1039.
— Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde —
bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
bei Certify.Core.Management.BindingDeploymentManager.d__9.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:Zeile 478.
— Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde —
bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
bei Certify.Core.Management.BindingDeploymentManager.d__7.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:Zeile 292.

I have already restartet, App deinstalled and reinstalled. Certificate requested, and re-applied.
I have checked all from this site:
Error HRESULT: 0x80070520 when adding SSL binding in IIS | Microsoft Learn.
But nothing works.
It looks like there is no private key for the (new) certificates. On MMC → Certificates → All Actions → Manage Private Keys, i got the error: No keys found for certificate!
I am using Windows Server 2016 with all available updates. My CertifyWeb Version is 6.0.12.0 Licensed Version.

Hi, For some users this problem was caused by the app trying to use an ES256 private key instead of an RSA key. Some configurations and versions of windows were unable to use this key type. To resolve, check that RSA 2048 is sill selected as the default key type under Settings then re-request the certificate.

This is already checked.
I have tried all of RSA256 values.

Have you previously modified the default permissions of
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys ? This is a very unusual error and the problem is specific to your configuration, it’s not a bug in the software, so to fix it we’d need to figure out what’s different in your system. I presume the Certify background service is running as Local System, as normal.

At the first time there were no permissions set on the folder.

As described here: Default permissions for MachineKeys folders - Windows Server | Microsoft Learn i have set the permission.

Certificates that was generate in Septermer are working.
but the ones from october not. The only changes on the system was windows updates. And the Default Private Key Type, RSA 4096 that i have setback to RSA2048.

Thanks, I note in your screenshot the Enable Modern PFX Alg is checked, disable this and re-request your certificate. Some versions of windows cannot use the update PFX cryptographic algorithms - this was briefly the default when we release v6.0 and that may be when this got set.

Thanks, this is working.

1 Like

Hello, we are seeing a similar error with our renewals as well during the binding stage. Output from log below:

2023-11-07 22:56:24.999 -05:00 [INF] ---- Beginning Request [Manage] ----
2023-11-07 22:56:25.000 -05:00 [INF] Certify/6.0.12.0 (Windows; Microsoft Windows NT 10.0.17763.0)
2023-11-07 22:56:25.000 -05:00 [INF] Beginning certificate request process: Manage using ACME provider Anvil
2023-11-07 22:56:25.000 -05:00 [INF] The selected Certificate Authority is: Let’s Encrypt
2023-11-07 22:56:25.000 -05:00 [INF] Requested identifiers to include on certificate: domain.info [dns]; domain.info [dns]
2023-11-07 22:56:26.034 -05:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/515119747/220669612506
2023-11-07 22:56:26.241 -05:00 [INF] Order is ready and valid. Auth challenges will not be re-attempted.
2023-11-07 22:56:26.241 -05:00 [INF] [Progress] Order authorizations already completed.
2023-11-07 22:56:26.241 -05:00 [INF] Resuming certificate request using CA: Let’s Encrypt
2023-11-07 22:56:26.241 -05:00 [INF] [Progress] Requesting certificate via Certificate Authority
2023-11-07 22:56:30.227 -05:00 [INF] [Progress] Completed certificate request.
2023-11-07 22:56:30.850 -05:00 [INF] [Progress] Performing automated certificate binding
2023-11-07 22:57:02.554 -05:00 [ERR] System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
at Certify.Management.Servers.ServerProviderIIS.d__20.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 372
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.Servers.IISBindingDeploymentTarget.d__3.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\Servers\ServerProviderIIS.cs:line 1039
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Core.Management.BindingDeploymentManager.d__9.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 478
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Certify.Core.Management.BindingDeploymentManager.d__7.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 292

Following other advice from this thread, following items have been checked:

Certify the web and machine are up to date
Service verified to be running as Local System
Default permissions to the Crypto folder are verified
Permissions to the pfx folder are verified
The PFX certificates are able to manually import to the Personal store entering the key saved in the utility to import.
Modern PFX Alg is not checked
RSA 2048 is set

Are there any other settings that could be preventing the binding of the renewed certificate in IIS? Please let me know anything else I can review/test.

@JoshBritton Hi, which version of windows server are you on and was it previously an in-place upgrade from an older version of the OS?

I’d try checking “Modern PFX Alg” and unchecking it again just to be sure, then try Request Certificate again (Certificate > Advanced > Actions > Re-fetch Latest Certificate can also rebuild the PFX without re-requesting, if the order is still valid with the CA).

Interestingly the line of code being reported as the site of the exception is the part that checks if the IIS Site ID is valid but I think that’s just a reporting glitch.

This is a Windows 2019 Server that was built new and has been using CertifytheWeb for some time successfully before the issue started.

I checked the “Modern PFX Alg” option, closed the app and reopened, unchecked, restarted again, and attempted to Re-fetch the certificate. Continue to see errors in the binding process.

Certify.Core.Management.BindingDeploymentManager.d__9.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 478
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Certify.Core.Management.BindingDeploymentManager.d__7.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\BindingDeploymentManager.cs:line 292
2023-11-11 09:45:07.151 -05:00 [INF] [Progress] Requesting certificate via Certificate Authority
2023-11-11 09:45:11.216 -05:00 [INF] [Progress] Completed certificate request.
2023-11-11 09:45:11.567 -05:00 [INF] [Progress] Performing automated certificate binding

Hi @JoshBritton ok, lets escalate this to a support ticket.

Please email support {at} certifytheweb.com with a zipped copy of your C:ProgramData\certify\logs folder and the appsettings.json from that certify folder as well. We may need to provide a custom build of the app to help diagnose the problem or try a custom tool to check binding. Please confirm if this affects all renewals.

Hello @webprofusion - This email has been sent and ticket 3722 has been created. Please let me know if you have any additional questions or if you need additional information.

1 Like