Wednesday, October 20, 2021

IIS 7 SSL Cert - There was an error while performing this operation

It was that exciting time of year again, SSL Cert renewal time!  

I say exciting, because it never fails that when Cert renewal times comes up I hit my head against some issue (I suspect it's the exact same issue year after year and I just don't remember).

This time changing the cert in IIS 7 I'm greeted with "There was an error while performing this operation. Details: A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

It should be noted that when this occurred the site went down!  I was able to select the old cert and hit okay and all was well again.  Select new cert, OK, and error with site down again.

NOTE: I have since found another way to produce this issue with it's own fix.  I have modified the below with Fix 1 and Fix 2.  You may have to do BOTH of the below as I recently discovered.

I found a lot of solutions out there and I'm sure they work, but I didn't see the easy one that worked for me.  I also found some that say the solution is that you have to have "export private key" checked when importing the certificate (note that this IS NOT NEEDED).

FIX 1: I had my certificate imported from a pfx without the option for export private key.  It was stored under Local Computer - Web Hosting (this is true of the old cert and new cert).

In the binding screen I selected the "Localhost" certificate.  Hit OK

I then immediately hit edit again.  Selected the new certificate from the drop down and hit OK.  Click Close, go to your site and verify it's using the new cert.

FIX 2: I had a new certificate that I imported via the IIS Server Certificates option.  No matter what I would continue to get the error following my directions above.  I found a post online where a commenter mentioned that they had to import from MMC rather than IIS.  Deleted the cert that I had imported via IIS.  Had cmd open so went to it and typed MMC, File - Add/Remote Snap-in - Certificates - Computer Account - OK. Expand Web Hosting - Certificates. Right click import my new cert changing file type to *.* and selecting cert.  DO NOT check the box for exportable.

Then went back to IIS and followed my FIX 1 steps.  Worked great.

No error, very minimal downtime (when localhost cert is selected). Happy happy

Now, will I remember this next year?  Or remember to check my blog notes?  Probably not.

No comments:

Post a Comment