Https Site cannot be reached Windows Server IIS

1
votes

I've been trying to get SSL working Windows Server 2016.

  • I've created an SSL Cert using Certify the Web "Certify SSL Manager".
  • The cert is bound to the site in IIS. Type: https Port 443 IP Address * Require Server Name Indication checked (There is more than 1 site with SSL)
  • I've enabled Secure Socket Tunneling Protocol (SSTP-In) Rule on the Firewall.

netstat is showing Proto Local Address Foreign Address State TCP 0.0.0.0:443 0.0.0.0:0 LISTENING

I can access the site via http but get Site cannot be reached over https.

Any ideas?

SSL Diagnostics look Ok:
BINDING: https *:443:www.xxx
SSLCertHash: 22cede4f7a934c9a18e1234dd1ec5ad5fd9e6eee
SSL Flags: Sni
Testing EndPoint: 127.0.0.1
#CertName: www.xxx [Certify] - 7/31/2018 8:59:12 PM to 10/29/2018 8:59:12 PM
#Version: 3
#You have a private key that corresponds to this certificate.
#Signature Algorithm: sha256RSA
#Key Exchange Algorithm: RSA-PKCS1-KeyEx Key Size: 2048
#Subject: CN=www.xxx
#Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
#Validity: From 31-Jul-18 8:59:12 PM To 29-Oct-18 8:59:12 PM
#Serial Number: 0320D0187424022AEA2723F9B330223768C3
DS Mapper Usage: Disabled
Archived: False
#Key Usage: KeyEncipherment, DigitalSignature
#Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1),Client Authentication (1.3.6.1.5.5.7.3.2)
#Basic Constraints: Subject Type=End Entity, Path Length Constraint=None
#Subject Alternative Name: DNS Name=www.xxx
Certificate verified.

BINDING: https *:443:www.xxx
This site can take external traffic if,
 * TCP port 443 must be opened on Windows Firewall (or any other equivalent products).
 * Requests from web browsers must be routed to following end points on this machine,
   * y.y.y.y:443.
   * [zzz]:443.
This site can take local traffic at 127.0.0.1:443.
This site can take local traffic at [::1]:443.
 * Web browsers should use URL https://www.xxx:443. Requests must have Host header of "www.xxx".
   DNS query of "www.xxx" does not return a known IP address for any network adapter of this machine. It can be desired, but please review your DNS settings (or modify the hosts file).
Please run SSL Diagnostics at server level to analyze SSL configuration. More information can be found at https://www.jexusmanager.com/en/latest/tutorials/ssl-diagnostics.html.
2
ssliis
SSTP rule is completely irrelevant. There should be a default HTTPS rule (I assume you already enabled it for the other HTTPS sites). Jexus Manager might show more info to guide you troubleshoot the issue, jexusmanager.com/en/latest/tutorials/ssl-diagnostics.html and jexusmanager.com/en/latest/tutorials/binding-diagnostics.htmlLex Li
Thanks for the response. Yes World Wide Web Services (HTTPS Traffic-In) is already enabled.Andrew Kiss
Hi @LexLi do you have idea what the following line indicates? DNS query of "www.xxx" does not return a known IP address for any network adapter of this machine. It can be desired, but please review your DNS settings (or modify the hosts file). The server is an AWS Lightsail Windows Server and it does have a static IP Address.Andrew Kiss
Jexus Manager attempts to do a DNS query of your domain name (host name), and verify if the returned IP address matches the IP addresses of this machine. If your DNS record points to the public IP, and this machine uses the private IP, then of course Jexus Manager won't find a match, and that's "desired".Lex Li
Thanks for you help @LexLi, I wasn't aware of there being another firewall under networking in AWS. I was only looking at the windows firewall. Working perfectly once I added https.Andrew Kiss

2 Answers

2
votes

If you are running on an AWS server, don't forget to add https (443) to your inbound rules in the security group in addition to changing the firewall rule on your EC2 instance.

0
votes

As Jexus Manager reports, your server side settings look good,

  • Valid certificate.
  • Valid HTTPS bindings.

However, DNS query of www.xxx returns an unknown IP address (x.x.x.x). So external HTTPS requests will be sent to x.x.x.x by web browsers. It relies on other network configuration to forward such requests from x.x.x.x.

Requests from web browsers must be routed to following end points on this machine,
* y.y.y.y:443.
* [zzzz]:443.

Usually, x.x.x.x should be the public IP, while y.y.y.y should be the private IP. The packet forwarding should be an AWS setting somewhere, and there can be another firewall you need to open port 443. You should be able to refer to AWS documentation to find out.