question

JL-4473 avatar image
0 Votes"
JL-4473 asked BruceZhang-MSFT answered

Random users not able to access website due to old and expired SSL certificate.

I need some advice here. Recently, I've just renewed web site public cert on tuesday. The old cert is expiring on wed morning 10am.
The renewal of the SSL cert includes the following steps:
1) install the public cert
2) grant permission rights to IIS service account that need to use the public cert
3) Rebind the IIS for the website with the new cert
4) Restart the IIS and application pool for the website
5) Verified that the website is accessible
6) Remove the old public certificate
7) Verified that the website is accessible.

Some background: Our website is front by a content serviec provider >> Web application firewall >> Proxy >> Web Site Server.
On wednesday at 3.30pm, we received feedback from users that they are not able to access our website.
We noticed that our proxy is pointing to the old public certificate which has already been deleted from the web server.
We tried to restart the IIS and application pool again. However, the issue wasn't resolved. The issue was only resolved after we have triggered a server reboot for the server hosting the website.

As part of the follow-up, we noticed that not everyone is facing issue access the website. Our logs captured other users able to successfully access our website.
Wonder if someone can enlightening me on the follow:

Qns 1: Why will the users encountered issue accessing the portal at 3.30pm instead of 10am (expiration of the cert) with the root cause stated certificate verification Failed: certificate has expired?
Qns 2: Why it only happened to a subset of the users but not all? I've read somewhere stating that there is a caching of SSL cert at the web browsers side, could it be the cause of it?
Qns 3: If the cause is due to the caching of SSL cert at the web browsers, how would the rebooting of the server hosting the website address the caching issue at the client browser's level?
Qns 4: Is it mandate or common practise to reboot the servers after public cert renewal?

windows-server-iis-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

BruceZhang-MSFT avatar image
0 Votes"
BruceZhang-MSFT answered

Hi @JL-4473 ,

Qns 4: Is it mandate or common practise to reboot the servers after public cert renewal?

Restarting the http service through the command line can also solve this problem. But sometimes it has no effect, so restarting the server is a better choice.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.