IIS and SSL Error: “One of the IP/Port combinations for site ’123′ has already been configured to be used by another program.”

This particular error occurred while trying to replace an expired certificate for a SharePoint Extranet site. The server has two internal IP addresses (i.e. 10.10.10.5 and 10.10.10.6), and the SharePoint site was bound to the second ip address (10.10.10.6). The old certificate had been replaced by a new certificate (provided by Thawte) and I was trying to perform the supposedly simple task of replacing the expired certificate. I stopped the website, applied the new certificate, started the website again, but got the following error in my event log:

One of the IP/Port combinations for site ‘123’ has already been configured to be used by another program. The other program’s SSL configuration will be used.

I though perhaps another program was locking that ip/port combination, so using CurrPorts I tried to track down what it was. CurrPorts has more info than netstat -an|more, but CurrPorts returned the process called “System” which isn’t overly helpful. After a lot of shutting down of IIS websites that I thought may have been the problem, I realised that it was the very site I was trying to replace the certificate for that was locking out the ip/port.

It turned out that there was a problem with the SSL bindings in the HTTP Protocol Stack http.sys, the underlying “controller” for IIS. Http.sys is a kernel-mode device driver, hence why it was showing up as “System” in CurrPorts. To fix this problem I used the httpcfg.exe utility to find out what SSL certificates were being bound to http.sys via:

httpcfg.exe query ssl

this returned the following:

——————————————————————————

    IP                      : 10.10.10.6:443

    Hash                    : 1234567845c19fd78909c6b170aa4a 23451c712

    Guid                    : {12345678-7890-6789-56768-59fc12340914}

    CertStoreName           : MY

    CertCheckMode           : 0

    RevocationFreshnessTime : 0

    UrlRetrievalTimeout     : 0

    SslCtlIdentifier        :

    SslCtlStoreName         :

    Flags                   : 0

——————————————————————————

The important thing to note here is the Hash. The hash value should match the value in your certificate’s thumprint. To view the thumbprint, use MMC to load the “Certificates” view for “Local Computer”. You should be able to view something similar to the following:

Thumprint for my digital certificate

The “Hash” in the httpcfg.exe should match the thumbprint of your digital certificate. If it doesn’t, you will get the ip/port lock-out as IIS cannot register your new certificate because the old “broken” one is still incorrectly registered.

To fix this I deleted the old entry using httpcfg.exe as follows:

httpcfg.exe delete ssl /i 10.10.10.6:443

I was then able to start my broken website and it correctly registered the certificate. Use the previous httpcfg.exe query ssl to check that everything is OK. Queue huge sigh of relief!

Advertisements

12 Responses to “IIS and SSL Error: “One of the IP/Port combinations for site ’123′ has already been configured to be used by another program.””

  1. OB Says:

    Saved my life! Thank you!

    This is surely a bug in the HTTP stack; I see no other way around, for those unfortunate enough to have this happen to them, other than your method.

    • gavinmckay Says:

      I think you are right – it does appear to be a bug, but I think it is probably very low on the list of things for them to fix unfortunately! It could even be an issue in the way SSL certificates are managed by windows itself, rather than a HTTP stack problem. Whatever it is, I hope they fix it!

  2. wgaga Says:

    Thanks for this, I have been stuck on my SSL problem on and off for a month this fixed it

    • gavinmckay Says:

      You are most welcome – it is a major pain to try and debug IIS issues like this! Has certainly caused me a lot of heart-ache in the past 🙂

  3. Steve Kumbsky Says:

    Awesome post. I’ve been working with some self-signed certs on a dev machine and wasted about 4 hours of my time, till I found your post. Thanks for letting others know about this.

    As FYI…I didn’t see my port (I wasn’t using 443) listed when I ran httpcfg.exe but I tried the delete anyway and viola my site worked!

    Thanks again!

    • gavinmckay Says:

      You are most welcome – glad it helped! 🙂 It is a nasty thing to have to fix that’s for sure – took out my production site for *hours* while I was trying to work out what went wrong :/

  4. Mauro Says:

    2 days headache invoking god solved by you!
    you’re my hero

  5. James Says:

    I went round and round struggling with this apparently simple task, much as you describe. Eventually I came across your site. Right now you’re my hero. Thank you.

  6. akshatakrao Says:

    Hi

    The httpcfg command gives a certificate thumbprint that has missing 0s. How do I fix this issue?

    • gavinmckay Says:

      Hi there,

      So have you already deleted the certificate using httpcfg? Did you get an error when trying to delete the old SSL cert?

      After deleting the old SSL certificate you should be able to add the certificate as normal and then select the correctly installed one.

      Gavin.

  7. Matt Says:

    Thanks for this. I just spent 2 days struggling with this error and this post resolved it perfectly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: