Search code examples
.nethttpiishttpsiis-7.5

IIS 503 "Service Unavailable" over HTTPS, HTTP works fine

I have a web site running in IIS 7.5. When I access the site over HTTP, everything works fine. When I run the site over HTTPS, I immediately get an HTTP 503 error "Service Unavailable". The SSL certificate used on the site self-generated/self-signed.

Here are the solutions that I've seen for similar problems that do not apply to this scenario:

  • User identity is outdated
    • Reason: The same App Pool that runs successfully under HTTP is used with HTTPS
  • App pool user's password changed
    • Reason: The same App Pool that runs successfully under HTTP is used with HTTPS
  • Set "Load User Profile" to false
    • Reason: This is already set to false. Again, the same App Pool that runs successfully under HTTP is used with HTTPS
  • .NET regiis
    • Reason: Site/.NET already runs successfully over HTTP, and the site never appears to hit the .NET code as the 503 error comes back immediately, even after an IIS reset, or web.config modification
  • Restart IIS
    • Reason: I tried this
  • Restart app pool
    • Reason: I tried this
  • Site > Advanced Settings > Enabled Protocols > http, https
    • Reason: I tried this
Solution

  • The commenter Chad Cothern on this blog had the answer and linked to this Microsoft Blog by BretB. The problem in this case is that everything on port 443 has been reserved and "prevents W3SVC from obtaining the rights to listen on port 80 when it tries to start the site. Furthermore, applications that run in IIS do not need explicit reservations to run, only non-IIS applications have to reserve a URL namespace if they want to use HTTP to listen for requests."

    Here are the steps to determine if this is the problem and how to resolve:

    1. Open the Command Prompt
    2. Run: netsh http show urlacl url=https://+:443/
    3. If something is there, then this is your problem. Port 443 is completely reserved and is blocking IIS.
      • If there is a need to reserve port 443 for an application running outside of IIS, it needs to be registered with an application path (i.e. http://+:443/appPath)
      • If there is nothing there, then this might not be the issue. No need to continue.
    4. Run: netsh http delete urlacl https://+:443/
    5. Try running your application again.

    Note, that you can also check port 80, or any other port using this method. For instance if port 80 is reserved and 443 is not, then the site over HTTPS would work, while HTTP would not.

    Showing the above commands and results