My website is mickwebsite.com. I am running IIS 10 on Windows 10 with minimum features implemented for a Static website, with support from Certify The Web, Lets Encrypt and No-IP. I have implemented SSL, and also implemented http → https using both HSTS and URL Rewrite.
In inetmgr, under EditSite|Bindings|443 I have a current, valid certificate installed.
When I run Chrome with http://localhost it starts the website and redirects to https, but declares it to be not secure with the explanation Certificate is not valid.
Running the Certify The Web desktop app I get these results…
On start of the app, under Managed Certificates: mickwebsite.com No current certificate
Click on above result: Renewal Failure, last attempt 2022-08-17
Click on Test: All tests completed OK
Click on Renew All: mickwebsite.com
Success
Skipping renewal, existing certificate still OK.
I am curious about the apparent contradictions among these results especially between #1 and #4. I have no idea about how to resolve the inconsistencies.
BTW, I have been a computer geek since 1965, was a professor of computer science at community college for 25 years until 1998, have 3 current apps in Google Play, and have been running this website on my home computer for many years. There is a lot of what I do that I do not really understand, but somehow I figure it out and usually get it to work
Your website is prompting for a client certificate (i.e. one the user has to have on their own computer) this is usually not what you want. If you have enabled this accidentally you can disabled it in IIS under Site > SSL Settings > Require SSL which confusingly enables client certificates instead of website certificates in IIS.
Regarding the inconsistency in the Certify UI, I can’t tell without a copy of your log file and configuration database but I’d suggest just deleting the managed certificate in Certify and creating it again.
Ensure your website has valid hostnames set in your IIS bindings (either http or https bindings) before creating your managed certificate as the app will use the hostname in the binding(s) to match the certificate. If you have previously create an https binding yourself I’d suggest deleting it and let the app manage it for you, in general the binding must have a hostname set and have SNI enabled with no specific IP binding set.
Thank you for the reply. By coincidence, after I posted my message and before your reply, I unchecked Require SSL after following one of various iis “learn” posts. However, now I do clearly understand why it is not needed so thanks again.
I followed your advice to simply delete the certificate and recreate it. I think that worked OK. I did get this message as part of the response…
I am uncertain about the “if applicable” part of this and if I need to do something about it??
I do not understand the last part of your reply, about deleting a binding and letting the app manage it. In inetmgr I simply create the two bindings [80, 443] and select the certificate for 443.
I have a technical issue that I do not understand at all that I suspect has nothing to do with Lets Encrypt. But here it is anyway in case you may know something about it. I can access my website only using mobile data from my smartphone. If I try to access it from my desktop computer which is the host, or with my smartphone using wifi, it does not respond giving various messages depending on what fooling around I have done with various settings…
This site can’t be reached
localhost refused to connect. mickwebsite.com took too long to respond.
HTTP Error 404. The requested resource is not found.
You can ignore the “Skipping URL access checks” part, it’s just saying that it worked before so it’s not going to perform tests again until a failure happens.
Regarding deleting bindings, I don’t recommend managing the https (port 44) binding yourself, instead let the app manage it for you. If you manually set it up then you could find that renewals are not updating the binding as expected.
Your https binding must have the hostname set to ‘mickwebsite.com’, with no specific IP specified and with SNI enabled. You can have multiple https bindings if your site goes by multiple names or subdomains (like if you want to support the name www.mickwebsite.com as well). Generally the app just copies whatever http bindings you have and creates corresponding https bindings, but if you haven’t specified the hostname to match in your http bindings then it can’t do that automatically (imagine if you had 100 websites on the same machine, it doesn’t know which bindings match which website unless you set the hostname in the IIS bindings).
If you click the Preview tab in the app and scroll down to the Deployment section you should see whether it plans to add/update any https bindings on next renewal. If it doesn’t show any then your certificate will still renew but your https binding won’t get the latest cert selected and eventually your site will start to error with the old expired certificate. So, make sure the app is planning to update your binding as shown in the Preview, if it’s not, fix it by setting your https binding settings as noted above (hostname set, SNI enabled). The preview should then show the correct planned updates.
Regarding problems accessing the site, your site currently says ‘403 forbidden’ which can mean either you have intentionally set something to require authentication or it can mean that the IIS site is pointing to a folder that it doesn’t have permission to read (the IUSR group needs read permission on the site folder).
Another thing to note is that if you have enabled HSTS then your browser will remember that and force https, so if there’s anything (temporarily) wrong with your https binding then the site just won’t load.
If you’re site won’t load locally but does over your phone mobile connection then the problem is that the IP address of the website can’t properly be resolved within your network, usually to do with trying to access your own external IP address internally (which your router may not like). You can create a hosts file entry with your local IP address to trick your browser into using the local IP address for the same website.
Regarding this…
“Your https binding must have the hostname set to ‘mickwebsite.com’, with no specific IP specified and with SNI enabled”.
The user interface for creating the website [inetmgr] does not permit omitting the specific IP. If I omit it the SAVE button remains greyed out. Is there another way❓
From the CTW preview tab…
Update https binding websiteC *:443:mickwebsite.com SNI
[websiteC is just a temporary folder name to remind me that it is on drive C: Have a backup on E: have to keep them separate]
authentication, permissions
The IUSR and IIS_IUSRS(MICKS-COMPUTER\IIS_IUSRS) groups have Full Control permission for the website folder. I wonder if I should change this to Read permission only❓ This is a static website so perhaps that is all that is needed.
4.enabled HSTS
I am using URL Rewrite for http->https. I do not have HSTS enabled although I did have it enabled recently; I thought that URL Rewrite was doing the job OK so I eliminated HSTS as an unnecessary technicality. Should I re-enable it and remove URL Rewrite It seems like HSTS is a simpler, built-in process, as long as it does not create its own problem.
It was difficult because the directory is hidden, even from the administrator login. But I did find an official Microsoft help blog for this. The private bloggers are apparently unaware of the hidden characteristic.
I did have Require SSL checked at one time but have since unchecked it.
Here is an example of how to set and SNI binding without specifying a specific IP address (using ‘All Unassigned’):
If you do set a particular IP then SNI will stop working and only the cert you have selected for that binding can be served, this is less of a problem if you only have one website but is catastrophic if you have multiple sites
HSTS is something your browser will try very hard to remember, even after you disable it. It’s not a problem if your site has working https though.
Yes, read permission for IUSR is best unless you need to write uploads or temp files as part of your website features (it sounds like you don’t need write).
I followed your recommendations and the problem remains. I had had the concepts of Port address and IP address confused when looking at that screen. I set the permission IUSR/Read as the only permission on the website folder, and I will not initially be using HSTS.
A bit of history…
About year ago I had a technical problem with my computer that I was unable to solve. I arbitrarily decided to reinstall Windows 10. That was a mistake. It left my private data alone but uninstalled many applications. I have had this problem with my website ever since
Now, the present…
I wanted to be certain that my IIS install and features choice were correct and have not been messed up somehow. I decided to renew my install of IIS using the minimum set of features for a static website. I followed these steps…
Remove all websites, the default and my own, from inetmgr.
Delete the two web.config files and the inetpub folder.
Uninstall IIS using control panel, turn features off; reboot computer.
Reinstall IIS adding in only the HTTP Redirection feature; reboot computer.
The default web site did not reappear [probably because I had deleted inetpub?] so I recreated it following instructions on StackOverflow.
I installed the URL Rewrite feature as I had used it successfully for several years. The HTTP Redirection feature and HSTS are there if I may need them.
Disabled static compression. Recommended by an MS Learn post; this is needed for URL Rewrite to function, a Known Issue.
Edited permissions for the Default website to include IUSR with Read permission
Created bindings for ports 80 and 443. View showed the certificate is valid until Nov 2, 2022.
SSL Settings feature: checked Accept for certificates
URL Rewrite feature: set this up following a blog post
Tested Localhost: “This site cannot be reached” “Your connection is not secure”
Tested over mobile data: Success!
Checked http → https over mobile data: success
I installed my website into inetmgr, setting up Features etc as above. The results are the same as for the default website. So the problem is not in my website code
The problem remains: my website is accessible from Mobile Data, but not from the host computer or by local WIFI, both of which receive signal directly from the router. I did spend a day recently working through all of the router configuration options. There is stuff there that I do not understand but I do believe that it is all set up correctly,
Is there anything that I should check out more thoroughly? Have I missed something? This website had been running perfectly, with this same setup, for several problem-free years.
Is the problem a Windows 10 feature or setting? What did re-installing Windows 10 from Microsoft over the internet change?
Is it actually possible for your computer to access this IP, considering this is actually your external IP as provided by your ISP? Sometime its not possible, that’s why I suggested the hosts file entry, but the point of the host file entry is to provide the IP you can access, not the real IP, so just change that to your local machines IP address, like 192.168.1.10 or whatever it actually is.
That should then work on your machine, but it won’t work for other machines on the same wifi, they’ll still be trying to use the public IP address.
I have otherwise fixed small errors here and there hoping for further insight. Nothing new is coming to me right now. I’ll keep plugging away at it. If you have any more ideas, I would love to hear them. Mick
I have been exploring about TLS 2.0 I was unaware of the TLS → SSL → TLS 2.0 evolution. I thought that SSL was the top tier as that seems to be the terminology in IIS. Anyway here is what I have found…
1. From SSLLabs.com: This server [mickwebsite.com] supports TLS 1.0 and TLS 1.1. Grade capped to B
EDIT: on further reading the data at SSLLabs.com there is info on TLS 2.0 for my website. But I am curious about this grade being B rather than A
2. How to check if TLS 1.2 is enabled?
If the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault is present, the value should be 0.
If the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled is present, value should be 1.
3. Using regedit shows that key ending at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
So it appears that my Win 10 setup does not support SSL 2.0? Is there a problem here?
Here is my current state of thinking about this…
So it appears to me that the problem is not caused by any of my router setup which I thoroughly reviewed, or by my IIS setup which I thoroughly reset, or by my website code which behaves same as the default website. So I am wondering what option, setting, etc in Windows 10 might be causing this problem behavior? What did reinstalling Windows 10 from Microsoft over the internet change?
Your supported level of TLS (and cipher suites) are relevant to understanding website security and compatibility but it’s not usually super important.
I recommend using the free Nartac Software - IIS Crypto tool in Best Practices mode to give yourself generally compatible settings. Some services and software have dropped support for TLS 1.1 so TLS 1.2 is preferable. TLS 1.3 does exist but it’s not well supported on windows yet (you would need Windows 11 or Server 2022). SSL was the original name for TLS and is the oldest version of the protocol, TLS 1.3 is the newest version. If you want the Grade A score from Qualsys then you need to drop support for TLS 1.1 and older, which reduces compatibility with some older software.
If you’re super interested in TLS there’s a very detailed book on the topic: Bulletproof TLS and PKI | Feisty Duck and Certify The Web users can get 15% off using the discount code CTW15 (this is not a referral code, it’s a discount and we don’t make money from it!).
Regarding the hosts file entry you said you had: 10.0.0.153 #IPV4, mickwebsite.com so that would be interpreted as <IP Address> #<comment> and the rest of the line would be ignored, what you want is just 10.0.0.153 mickwebsite.com.
Just as a comment… on older installs, such as Vista/Server2008… these registry entries are required to override system defaults. On newer installs such as patched Windows 10/11… these entries are not necessary as the defaults already accept TLS 1.2(etc)
It may in fact be normal or necessary for these registry keys(Protocol) to be empty on newer operating systems. Overriding the defaults with these keys should be harmless, but I’ve seen situations where outgoing connections could not negotiate SSL/TLS properly and deleting the keys(and restoring the defaults) solved the issue.
Because of this, be careful about adding these keys on newer operating systems.
Thank you! jljtgr for this additional clarification. I am running Windows 10 Pro, version 21H2. From a blog elsewhere I did use PowerShell to disable SSL 2.0 and 3.0, and TLS 1.0 and 1.1; and to enable TLS 1.2 and 1.3.
And an additional Thank you! to webprofusion for the additional info and links regarding TLS. My website now gets the overall rating of A from Qualys SSL Labs, SSL Report
I feel good again about my website, and I have access to much more information Mick
It seems like HSTS is a simpler, built-in process, as long as it does not create its own problem.
