Jason
Jason

Reputation: 101

How can I make ARR work with SSL offloading DISABLED? 502.3 Bad Gateway

So I have been hitting this error for days now. I have googled and googled but nothing seems to resolve my scenario and am hoping someone out there can help.

The problem:

When I disable SSL offloading in ARR (Routing Rules) I receive the following:

502 - Web server received an invalid response while acting as a gateway or proxy server.

There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

So, digging further, I enabled Failed Request Tracing to capture the error. The log offers the following info:

  1. view trace Warning -MODULE_SET_RESPONSE_ERROR_STATUS

ModuleName: ApplicationRequestRouting
Notification: EXECUTE_REQUEST_HANDLER
HttpStatus: 502
HttpReason: Bad Gateway
HttpSubStatus: 3
ErrorCode: 2147954430

  1. view trace Warning -SET_RESPONSE_ERROR_DESCRIPTION

ErrorDescription: The connection with the server was terminated abnormally

My Config:

2 x ARR/NLB Servers

2 x Content Servers

Basically, I am trying to accomplish load balancing and redundancy up front via NLB and ARR. I went by the book on all the configuration. These are all fresh installs with only bare minimum components installed. The certificate is self signed through AD CA. Root CA is installed in trusted cert authorities on all servers.

Everything works perfectly over port 80 (non SSL) and when I enable SSL offloading in ARR. However, due to application constraints, I cannot enable offloading.

Hitting the content servers directly works fine via http and https (aside from browser warning about certificate).

I've tried installing the certificate on each server and selecting in the site binding rather than selecting Centralized Certificate Store, but it doesn't seem to matter as I get the same results when ARR is the requester.

Below I've attached the relevant config files. Many thanks in advance.

IIS/ARR administration.config

IIS/ARR applicationHost.config

Upvotes: 5

Views: 7177

Answers (7)

AndyWarby
AndyWarby

Reputation: 331

Some really basic stuff to consider:

  1. Do the server names in the farm exactly match what is on their certificates? (E.g. are you using a shorter name rather than the FQDN?)

  2. are you using a port other than the default 443? If so make sure when you 'Add Server' you go into the Advanced Settings and set the correct port numbers / hostname etc. These don't show anywhere in the UI once the server is added, so if you forget to do this it's not immediately obvious when reviewing your setup

Upvotes: 0

dimmalo
dimmalo

Reputation: 43

The solution for me was to make sure that the Default Sites on IIS of Content Server had a secure binding and, on them, SNI and Centralised Certificate Store were unchecked.

The issue we found was related to the ServerName (hostname) parameter not being passed over when the SSL Offload was not used in a load balanced scenario. Therefore, when the request reached the Content Servers, it didn't know which SSL binding to serve.

Upvotes: 0

SH Leung
SH Leung

Reputation: 1

The SecureConnectionIgnoreFlags registry not work for me on Windows 2016.

And also resolve by remove and re-installing the Root, ISCCA, and Server certificates, as I'm using internal CA.

After install the certificates in the ARR Web Server, need to set Healthy the content servers through IIS -> Server Farms -> Application.

Upvotes: 0

Alon S
Alon S

Reputation: 195

You don't need to have the same SSL certificate both ways.

You just need to make sure that both certs (if they are self-signed) are imported into your "Trusted root certification authority" in certmgr.exe

Another option is to have ARR ignore certain certificate errors in your registry https://learn.microsoft.com/en-us/iis/extensions/configuring-application-request-routing-arr/arr-support-added-for-winhttpoptionsecurityflags

Upvotes: 0

CWC
CWC

Reputation: 11

It been a while, but this is the only post that directly referenced my issue.

Environment: ARR with centralized certs Farm web machines with centralized certs

I had to move to NOT using SSL offloading and got 502.3.

The solution for me was to install the cert on the farm web machines using MMC and then give the app pool user Read rights on the private key. This was the only way to get the ARR to negotiate a secure connection.

Upvotes: 1

Dai Bok
Dai Bok

Reputation: 3616

I have been getting the same error. This is how I resolved it.

You need to make sure the ARR server and the server you are targeting are using the exact same SSL certificate.

In my case they were the same, but the target SSL certificate somehow got corrupted or imported into IIS incorrectly.

Anyway, to resolve this, I removed all references to the corrupted SSL certificate on the target server, and then reinstalled the certificate.

I made sure that I could access this site on my target server, by making a direct connection, and bypassing the ARR server.

I hope this reference helps someone else.

Upvotes: 3

Juraj Janosik
Juraj Janosik

Reputation: 11

You must have same SSL certificate on ARR and Application servers. And of course on all servers you must enable https. So create a wildcard certificate for your domain and use it on both ARR and Content servers.

Upvotes: 1

Related Questions