403 errors and SSL Certificates using IIS7 on Windows 2008

Through the will of the gods, I somehow ended up as a client’s sysadmin for their Windows Server. Their site had an SSL certificate that I managed to get installed. However, there were a few folks that kept getting these pesky 403 errors when they tried to view any page with the SSL certificate in https. Specific systems, too – mostly on Windows behind some kinda firewall.

As, despite what I’m doing, I am no Windows sysadmin, I was at a loss for what the heck was going on, and ended up harassing Network Solutions about it. Turns out we needed an upgraded certificate, as some older systems would not recognize the discount (or “Xpress”, if grammatically incorrect branding is your thing) certificate. So we got a sweeter one, and installed it. Yet, the errors persisted.

The big problem for me was that I could not replicate the error. All seemed fine in Virginia’s Internet Land. Most of the issues were coming from Australians (which sent me down a brief and incorrect path of thinking it was a freaky cookie issue, something I dealt with before with timezones and a SSO about half a year back). Anyhow, “403” is pretty generic. So, I went into the IIS manager dealio and set the 403 errors so that non-local browsers would get a detailed view. And, got someone who was actually getting the error to send me a screenshot. Turned out it was, in fact, a 403.13 error. Something about IIS trying to find a revoked certificae list and failing. And, apparently, if you’re looking at the site from behind a firewall with proxies, this’ll fling 403 errors all up on your junk and such.

Cause, I revoked that initial “Xpress” certificate when I added the new one. Anyhow, apparently the solution was to turn off the option in Windows 2008 that checks for a revoked certificate list (CertCheckMode). Course, there was no easy way to do it, I had to get all down and dirty in the Registry for that bastard. Boo! Anyhow, that fixed the situation, so all is good in the land of SSL certificates.

Leave a Reply