SSRS SSL Certificate Nightmare

28 Jun
June 28, 2011

I write this post after a hellish experience that lasted a couple of hours trying to sort out the SSL certificate for SSRS.

Basically the story goes like this…

Our SSL Certificate was due to expire on our SSRS Web Farm box, so we decided to renew it, even though the application is an internal reporting tool, but hey.

So basically what we did is renew our certificate (from CACert), which means we got issued with a new certificate, and then we went into IIS (7.0) to delete the old certificate (with Export) and upload the new certificate… everything is fine up to this point.

We have also registered the certificate in the “Trusted Root Certification Authorities” on Local Computer.

When I tried to hook-up the new certificate to SSRS (in Reporting Services Configuration Manager\Web Service URL), it gave me the following error message:
Microsoft.ReportingServices.WmiProvider.WMIProviderException: An SSL binding already exists for the specified IP address and port combination. The existing binding uses a different certificate from the current request. Only one certificate can be used for each IP address and port combination. To correct the problem, either use the same certificate as the existing binding, or remove the existing SSL binding and create a new binding using the certificate of the current request.

Which means a IP:Port combination was still bound to the old certificate. Probably one of the more sensible error messages you get in SSRS.

In order to check what certificate is bound to which IP:Port combination, I used the following CommandLine command:
netsh http show sslcert

And sure enough, the old certificate was still bound to the following IP:Port combination:
[::]:443

This seems to be a binding setup by SSRS itself, rather than IIS, so if you delete the certificate before you actually remove it from SSRS, you end up with a stray binding entry for the old certificate.

Anyway to resolve the issue, all you need to do is issue a command to delete the binding for this specific IP:Port combination:
netsh http delete sslcert ipport=[::]:443

Then you can rebind SSRS Web Service URL to your SSL Certificate, and all should be cool and dandy!

Goodluck, hope this will save you some time!

UPDATE (2011/12/07): If you have your SSRS Service running on a Windows 2003 machine, then you will need to use httpcfg.exe to configure SSL Certificate Binding on HTTP and HTTPs. For more details on how to use httpcfg.exe, you can refer to the MSDN documentation on Configuringing HTTP and HTTPS or the syntax documentation for the httpcfg.exe command itself

The command to remove SSL certificates on Windows 2003 might look something like this:
httpcfg.exe delete ssl /h [SSL-HASH]

Where [SSL-HASH] is the hash value of the SSL certificate.

* * * ½   3 votes
16 replies
  1. H says:

    This fixed it for me entirely ! I was installing Dynamics CRM 2011, and the pre install checks listed the reporting services cert as invalid.

    Note that after applying this fix, Reporting Services still said it couldn’t bind, but CRM install works perfectly now :)

    Reply
  2. Ryan says:

    Awesome! This was key for getting my SharePoint SSRS integration working again (no thanks to an IT guy who hosed it in the first place)

    Reply
  3. amit says:

    thanks for sharing. any idea how to delete the binding in Win 2003? i have the exact same error and the old binding is not getting removed. these cmds don’t work in 2003….

    Reply
    • admin says:

      Good point!

      I have updated the post to include handling deleting SSL certificates under Win 2003 machines. (by using the httpcfg.exe command instead).

      Now I haven’t got a Win03 server to test this on, so please be careful :)

      Reply
  4. Vuong says:

    Excellent! Fix the issue right away. Thanks for sharing. Cheers.

    Reply
  5. David says:

    Thanks for this post – the “netsh http show sslcert” was very helpful. It showed me that even though the RS Configuration Manager had the bindings there was no list of it from that command.

    What worked for me when attempting to renew/replace the SSL cert.

    1. remove both the Web service url and Report Manager URL bindings for 443.
    2. add the binding back with the new SSL cert selected.

    Straight forward I guess but previously I’d tried to just updated the SSL cert with to the existing entries. That was a failure.

    Reply
  6. Michael says:

    Awesome. This article was crucial after spending hours battling with SSRS and certs.

    Reply
  7. Paul Goldy says:

    Thanks. This was a real time saver chasing the binding issues with SSRS and managing certificates.

    Reply
  8. Stu says:

    Great, after lots of other suggestions, this was the one that fixed it for me. Although after removing the cert in the SQL Reporting Services GUI, only the 0.0.0.0:443 binding remained. Deleting that allowed the new cert to be added. Fantastic!

    Reply
  9. Sandon says:

    Thanks for sharing this info saved me a great deal of time!
    Much appreciated…

    Reply
  10. MariusG says:

    Something you posted years ago which now comes to my aid, thank you so much, let’s all learn a lesson from taking a bit of time out to share our learnings and experiences and so make this IT Community a great one, world wide, again THANKS!

    Reply
  11. Ian says:

    Wow, this worked very well! I think we only needed to work on this for ~10 minutes. We had to make sure we only removed the one for the SSRS instance IP address and not the others on the same machine. Instead of [::]:443 we did the IP address and :443 at the end. But this worked great and thank you for having this post!

    Reply
  12. Nick says:

    Thanks for this, first google hit solved the issue! :)

    Reply
  13. Javier Rapoport says:

    You saved me from so many headaches! Had to comment to thank for doing such a clear and thorough post. Hopefully it stays as the first hit in Google!

    Reply
  14. T says:

    Thanks – this was so helpful!

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply to T Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>