<!DOCTYPE html> <html> <head> </head> <body> <header class="entry-header"> <h3 class="entry-title">SSRS won’t bind HTTPS to new certificate — “We are unable to create the certificate binding”</h3> <div class="entry-meta"> </div> </header> <div class="entry-content"> <p data-adtags-visited="true">This blog post is around the situation where you have SSRS setup to use HTTPS and thus using a certificate and the certificate expires (or just needs replacing). We had caught the initial error via our Continuous Monitoring of the SSRS site — basically when the certificate expired we got an exception and alerted on it.</p> <p data-adtags-visited="true">The client installed a new certificate but the issue arose where in Reporting Service Configuration Manager we went to use the new certificate but when we chose it we got this error:</p> <p data-adtags-visited="true">“<em>We are unable to create the certificate binding</em>”</p> <figure id="attachment_2425" class="wp-caption aligncenter" data-shortcode="caption" aria-describedby="caption-attachment-2425"><img class=" size-full wp-image-2425 aligncenter" src="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-cert-issue.jpg?w=656" alt="SSRS Cert issue" data-attachment-id="2425" data-permalink="https://hybriddbablog.com/2017/12/11/ssrs-wont-bind-https-to-new-certificate-we-are-unable-to-create-the-certificate-binding/ssrs-cert-issue/" data-orig-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-cert-issue.jpg" data-orig-size="442,62" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="SSRS Cert issue" data-image-description="" data-medium-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-cert-issue.jpg?w=300" data-large-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-cert-issue.jpg?w=442" /> <figcaption id="caption-attachment-2425" class="wp-caption-text">Error in SSRS Configuration Manager</figcaption> </figure> <p data-adtags-visited="true">And Reporting Service Configuration Manager <strong>removes</strong> the HTTPS binding.</p> <p data-adtags-visited="true">We checked and the certificate is installed correctly.</p> <p data-adtags-visited="true">So we looked in SSRS logs:</p> <p data-adtags-visited="true">C:Program FilesMicrosoft SQL ServerMSRS11.<instance>Reporting ServicesLogFiles</p> <p data-adtags-visited="true">It is amazing for a reporting system how badly errors are reported in the log files. Basically there was nothing in there at all:</p> <pre>rshost!rshost!964!12/11/2017-08:13:47:: e ERROR: WriteCallback(): failed to write in write callback. rshost!rshost!2aa4!12/11/2017-08:13:47:: e ERROR: Failed with win32 error 0x03E3, pipeline=0x00000002780A7D80. httpruntime!ReportServer_0-33!2aa4!12/11/2017-08:13:47:: e ERROR: Failed in BaseWorkerRequest::SendHttpResponse(bool), exception=System.Runtime.InteropServices.COMException (0x800703E3): The I/O operation has been aborted because of either a thread exit or an application request. (Exception from HRESULT: 0x800703E3) at Microsoft.ReportingServices.HostingInterfaces.IRsHttpPipeline.SendResponse(Void* response, Boolean finalWrite, Boolean closeConn) at ReportingServicesHttpRuntime.BaseWorkerRequest.SendHttpResponse(Boolean finalFlush) library!ReportServer_0-33!2aa4!12/11/2017-08:13:47:: e — End of inner exception stack trace —;</pre> <p data-adtags-visited="true">We knew that HTTP was working all good so SSRS itself was “ok”. So on a hunch we decided to see if the old certificate was still lying around bound to something and so using netsh:</p> <figure id="attachment_2427" class="wp-caption aligncenter" data-shortcode="caption" aria-describedby="caption-attachment-2427"><img class=" size-full wp-image-2427 aligncenter" src="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-netsh.jpg?w=656" alt="SSRS NETSH" data-attachment-id="2427" data-permalink="https://hybriddbablog.com/2017/12/11/ssrs-wont-bind-https-to-new-certificate-we-are-unable-to-create-the-certificate-binding/ssrs-netsh/" data-orig-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-netsh.jpg" data-orig-size="624,399" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="SSRS NETSH" data-image-description="" data-medium-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-netsh.jpg?w=300" data-large-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-netsh.jpg?w=624" /> <figcaption id="caption-attachment-2427" class="wp-caption-text">NETSH showing the old certificate bound</figcaption> </figure> <p data-adtags-visited="true">So we then removed the binding — which was safe enough as only SSRS was serving web requests on this server — IIS was not being used at all.:</p> <p data-adtags-visited="true"><strong>netsh http delete sslcert ipport=[::]:443</strong></p> <figure id="attachment_2432" class="wp-caption aligncenter" data-shortcode="caption" aria-describedby="caption-attachment-2432"><img class=" size-full wp-image-2432 aligncenter" src="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-netsh-delete.png?w=656" alt="SSRS netsh delete" data-attachment-id="2432" data-permalink="https://hybriddbablog.com/2017/12/11/ssrs-wont-bind-https-to-new-certificate-we-are-unable-to-create-the-certificate-binding/ssrs-netsh-delete/" data-orig-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-netsh-delete.png" data-orig-size="922,242" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="SSRS netsh delete" data-image-description="" data-medium-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-netsh-delete.png?w=300" data-large-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-netsh-delete.png?w=656" /> <figcaption id="caption-attachment-2432" class="wp-caption-text">Removing the certificate that was still bound to port 443</figcaption> </figure> <p data-adtags-visited="true">We could then bind the new certificate in Reporting Service Configuration Manager:</p> <figure id="attachment_2430" class="wp-caption aligncenter" data-shortcode="caption" aria-describedby="caption-attachment-2430"><img class=" size-full wp-image-2430 aligncenter" src="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-now-bound2.jpg?w=656" alt="SSRS now bound" data-attachment-id="2430" data-permalink="https://hybriddbablog.com/2017/12/11/ssrs-wont-bind-https-to-new-certificate-we-are-unable-to-create-the-certificate-binding/ssrs-now-bound/" data-orig-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-now-bound2.jpg" data-orig-size="963,735" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"1"}" data-image-title="SSRS now bound" data-image-description="" data-medium-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-now-bound2.jpg?w=300" data-large-file="https://hybriddbablog.files.wordpress.com/2017/12/ssrs-now-bound2.jpg?w=656" /> <figcaption id="caption-attachment-2430" class="wp-caption-text">SSRS is now happy and listening on port 443</figcaption> </figure> <p data-adtags-visited="true"> </p> <p data-adtags-visited="true">So hopefully if you get this type of error you too can solve it nice and quickly and have your web service URL and Report Manager URL nice and secure again…</p> </div> </body> </html>
Subscribe
0 Comments
Oldest