An existing website that's been in production for years recently had its SSL certificate expire. To get a new certificate, I used IIS to generate a CSR which was processed and approved by the very well known Certificate Authority. They issued a .crt and .p7b to be installed in IIS.
The installation of the both certificates in IIS 7.5 appeared to be flawless. Boy, was I excited at how straight-forward it seemed. (Specifically, I followed every step exactly as shown here: http://support.godaddy.com/help/article/4801/installing-an-ssl-certificate-in-microsoft-iis-7?locale=en&pc_split_value=4 )
However, there's a fatal problem. Every attempt by a visitor to access https://mydomain.com is automatically redirected to http://mydomain every single time (IE9, IE11, Safari, Firefox, Chrome on Windows, OS X, Android, iOS).
Why?
Things I have done:
- In IIS, install the intermediate certificate (MMC > Snap-in)
- In IIS, install the SSL certificate (Complete Certificate Request)
- In IIS, set the site Bindings for https on 443 to use the SSL certificate
- Made sure the Firewall was allowing http/s traffic on 443.
- Used the Microsoft SSL Diagnostics tool to make sure the SSL certificate was associated with the site (including verification it has the private key, et cetera)
- Verified the website code itself has no directs (code hasn't changed in a year, but I checked anyway)
- Verified the web.config to ensure there was no redirect
- Verified there is no URL Rewrite Module installed
Important Note:
- If I use any browser on the local server itself to access https://mydomain, then it works flawlessly. The site loads on a secure connection, the browser shows SSL encryption is active and identify verified. I tested in IE and Firefox both. Why would the certificate work when testing with the server's browser, but exhibit the redirect behavior whenever real world users attempt to access the site?
- To verify it wasn't the certificate itself causing a problem, I later removed it and created a self-signed cert as a test. I set the bindings to use this self-signed cert. In this case, visitors to https://mydomain.com first saw the expected warning about untrusted certificate, then upon clicking through the warning visitors were immediately redirected to http://mydomain.com. So, the behavior happens no matter what certificate is installed. That was the point of test. I've since removed the self-signed cert and reinstalled the real certificate.
- Also, for fun, I ran a test where I disabled port 80 in the site bindings to try forcing an SSL connection (as the only option available). But attempts to access https://mydomain.com result in an attempted redirect to http://mydomain which obviously fails since IIS was configured to not respond to port 80.
Help?