IIS: Can connect to website via http but not https

Question

I can connect to my site via http but not via https.

In FireFox I get:

Secure Connection Failed. An error occurred during a connection to www.example.com. PR_CONNECT_RESET_ERROR

In Chrome I getL

This site can’t be reachedThe connection was reset.

Strange thing is that this Let's Encrypt certificate used to work (I'm trying to figure out what I changed that could've impacted this):

Bindings in IIS are set to use the correct certificate:

Registry keys (I've also set DisabledByDefault=1 for TLS 1.1):

netsh http show sslcert output:

Hostname:port                : www.example.com:443
Certificate Hash             : cdd3c28a460bdf024930a5e1a7fcc799fb9ea72e
Application ID               : {4dc3e182-e14b-4a21-b022-59fc669b0914}
Certificate Store Name       : WebHosting
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled
Reject Connections           : Disabled
Disable HTTP2                : Not Set
Disable QUIC                 : Not Set
Disable TLS1.2               : Not Set
Disable TLS1.3               : Not Set
Disable OCSP Stapling        : Not Set
Disable Legacy TLS Versions  : Not Set

Hostname:port                : example.com:443
Certificate Hash             : cdd3c28a460bdf024930a5e1a7fcc799fb9ea72e
Application ID               : {4dc3e182-e14b-4a21-b022-59fc669b0914}
Certificate Store Name       : WebHosting
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled
Reject Connections           : Disabled
Disable HTTP2                : Not Set
Disable QUIC                 : Not Set
Disable TLS1.2               : Not Set
Disable TLS1.3               : Not Set
Disable OCSP Stapling        : Not Set
Disable Legacy TLS Versions  : Not Set

Not sure if relevant, but when I test my site via SSL Labs I get an A+.

I already looked here: Installed SSL for domain, now getting connection reset error

UPDATE 1
I enabled SSL for my website (and restarted):

Use a tool like Wireshark to analyze TLS handshake packets, and that should reveal what happens. — Lex Li, Apr 19 '21 at 17:44
Thanks. I installed WireShark, but honestly not sure what I'm looking for. I saved a TCP dump and checked some red and black lines that were in there. I also specifically checked for my client's IP address. I tried disabling the Windows Defender Firewall to ensure port 443 is not blocked. But how can I debug this file? A red line was for example `Transmission Control Protocol, Src Port: 443, Dst Port: 44103, Seq: 1, Ack: 518, Len: 0`. Is it save to share this file with others for debugging? — Adam, Apr 19 '21 at 20:04
https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ — Lex Li, Apr 19 '21 at 20:06

score 3 · Accepted Answer · answered Apr 20 '21 at 08:53

3

It was because I had added key "TLS 1.3" to registry in

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

When removing that key everything works again.

answered Apr 20 '21 at 08:53

Adam

247
3
4
16

score 0 · Answer 2 · answered Apr 19 '21 at 08:45

0

PR_CONNECT_RESET_ERROR indicates that the destination server or a server/router/middleman along the way sent a RST to Firefox to terminate the attempted connection.

Have you accepted SSL in IIS? You can do it by following these steps: In the Home page in the center panel, under IIS, double-click SSL Settings.

Then in the SSL Settings page:

Select the Require SSL check box.

Under Client certificate, select Accept.

Restart your website.

answered Apr 19 '21 at 08:45

r3d

138
8

I did...see my update 1 – Adam Apr 19 '21 at 09:19
It works on localhost? Your certificate is valid? you can check with some online tools, you just google something like "check certificate". if the problem still remain you can check what's appening on the network when you call https://yoursite.com by starting with tracert and some packet analizer tool like WinDump. – r3d Apr 19 '21 at 14:10
I tested via https://www.sslshopper.com/ssl-checker.html, but that says `No SSL certificates were found`, very confusing! I renewed my let's encrypt certificate to be sure it was still valid. I also installed Wireshark (see comment on other answer, but it's not clear to me what I'm looking for. – Adam Apr 19 '21 at 20:07

score 0 · Answer 3 · answered Jun 17 '22 at 16:23

0

I know it's an old question but I got the same problem today.

The following solved it for me:

Switching the certificate in the IIS binding to another one
Switching back to the old certificate.

I've no idea why, but it helped.

answered Jun 17 '22 at 16:23

user241093

1

IIS: Can connect to website via http but not https

3 Answers3