step-by-step
article describes how to determine if Secure Sockets Layer (SSL)
connectivity is not working on the Web server or on a intermediate
device that is on the path from the client to the Web server.
After you install a Secure Sockets Layer (SSL) certificate on a computer
that is running Internet Information Server (IIS) or Internet
Information Services (IIS), you may find that you cannot connect to the
computer across the Internet. When you try to connect, you may receive
the following error messages in the browser:
The page cannot be displayed
and
Cannot find server or DNS error
Determine the Cause of the Problem
One possible cause of this error is that an intermediate device, such as
a router or a firewall, is blocking TCP port 443 requests to the
server.
Make an SSL Request to the Server
To isolate this as a possible cause, first make sure that an SSL request
to the server on the server is successful. After you install the SSL
certificate, you can make an SSL request to the server by using the
browser on the server (that is, connect to by using the browser on the Web server).
If this step is not successful, see the
section.
Find the Blocking Intermediate Device
If you can connect to the server, follow these steps to confirm that an intermediate device is blocking the SSL traffic:
- On the Web server, open a command prompt and use the Microsoft
TCP/IP Tracert utility to connect to a known Web server on the Internet
that has an SSL certificate installed (such as ). This
shows all of the "hops" between the Web server and the destination
server.
The -d switch tells Tracert not to map IP addresses to host names.tracert -d
1 20 ms 10 ms 10 ms 24.25.66.1
2 <10 ms 10 ms 10 ms 24.93.65.149
3 <10 ms 10 ms <10 ms 24.93.66.145
4 <10 ms 10 ms 10 ms 24.93.66.178
5 20 ms 20 ms 20 ms 64.240.245.81
6 20 ms 20 ms 20 ms 208.30.202.5
7 20 ms 20 ms 20 ms 144.232.8.229
8 40 ms 30 ms 30 ms 144.232.18.33
9 40 ms 30 ms 40 ms 144.232.26.1
10 40 ms 30 ms 30 ms 144.232.26.6
11 80 ms 71 ms 70 ms 144.232.18.49
12 70 ms 70 ms 70 ms 144.232.6.89
- When you have obtained this
information, use the Microsoft TCP/IP Telnet utility to determine which
router is blocking the SSL traffic. First, try to telnet to port 443 on
the first hop that is reported from the Tracert output.
For example, telnet to each hop that is listed in the Tracert output:
When a connection is made to a listening SSL port, the telnet session
shows a blank flashing cursor, as if the server is waiting for input.
After several seconds, or if you press any keys, the telnet client
displays the following:
A connection to a server that is not listening on SSL immediately returns the following message:
Could not open a connection to host on port 443 : Connect failed
- Continue this process for each item on the
Tracert list until you have determined the first intermediate device
that is blocking SSL connections. After you find that device, work with
the administrator of that device to correct this issue, and then try to
connect to the site from the Internet.
TroubleshootingFor
additional information about what to do if using the browser on the Web
server is not successful, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
Page Cannot Be Displayed When You Connect through SSL
Error Message: The Page Cannot Be Displayed . . . Cannot Find Server or DNS Error
Cannot Open SSL-Enabled Web Site
For additional information about using the Microsoft TCP/IP Tracert and Telnet utilities, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
Using TRACERT to Troubleshoot TCP/IP Problems in Windows NT
Using TRACERT to Troubleshoot TCP/IP Problems in Windows XP
Description of the Ping and Tracert Tools
How to Request a Web Page Through a Telnet Client
For additional information about SSL browsing failures on a Web server, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
Page Cannot Be Displayed When You Connect through SSL
阅读(1060) | 评论(0) | 转发(0) |