I have had an LetsEncrypt certificate generated through Win-Acme on an IIS website. After some time, it was requested to be changed for a different certificate, generated by RapidSSL. I have received the certificate, successfully installed it into IIS and selected it in the site's bindings. IIS, however, still keeps using the old certificate and ignores the new one.
Things I have tried:
- Removing the certificate from IIS and from Certificate storage
- Restarting the IIS Site
- Restarting all related Application pools
- Setting the
Idle timeoutof all related application pools to 1 minute and letting them all terminate - as specified in this GitHub issue - Restarted the entire Windows server
- Removed the certificate manually using
netsh http delete sslcert, according to command output it was successfully deleted (as stated here), after that re-added the certificate in IIS bindings - Removed scheduled renewal from Win-Acme
IIS, however, somehow seems to still have it cached and returns it.
Noteworthy things:
- The old certificate was still valid, i never had any issues replacing an expired certificate
- There is no loadbalancer or proxy
- I have always used OpenSSL CLI tool to check for the certificate, in case my browser was caching it
Issue from Server Name Indication (SNI)?
I have done a little research and stumbled upon this answer from Lex Li on stackoverflow and this blogpost, where there is explained, that this issue may actually originate from Server Name Indication. I did however verify, that all sites run on All Unassigned IP address and that all of the SSL bindings have SNI enabled - both in IIS GUI and Hostname:port on netsh http show sslcert. Also, when i try to run OpenSSL CLI tool with -servername parameter (which should, as I learned here, make the check in regards to SNI), it still returns the old certificate:
openssl s_client -showcerts -connect my.example.com:443 -servername my.example.com
If I, however, try re-adding the binding, after viewing the certificate with netsh, however, the correct certificate appears. It seems to match the description of issues with SNI linked above, however, none of the resolutions in those posts work for me.
I'm really starting to become puzzled by this - any idea on how to progress further? Thanks!
