1
Vote

Document reasons for error 12175 (ERROR_WINHTTP_SECURE_FAILURE) in WinHttpSendRequest

description

The number 12175 is ERROR_WINHTTP_SECURE_FAILURE, which indicates an error in the SSL layer.
 
WinHttpSendRequest will fail with that error when there is a problem with the SSL configuration. The way SSL works - when a client sends out a request over SSL, the server replies with a certificate that is signed by a certifying authority (CA). The 12175 error indicates a revoked certificate, an untrusted CA, a mismatch between the certificate and the hostname, or some other similar SSL misconfiguration problem. In Windows, you can manage the trusted CA list via the certmgr.msc control panel applet. In windows7 I believe there is a certutil tool you can use from the command line.
 
Often people install the certificate for the target server into the trusted CA list for a user account on the server, and then test it by running IE on the server to verify SSL connectivity with the target. Based on that successful outcome, they conclude that everything in the HTTPS flow from the IIS server to the desired target of the proxy is "working fine." But when executing a ProxyPass, IIS/IIRF does not use a user account to send out the HTTPS request.; it uses the IIS account. The IIS account is the one that needs the CA of the target host on its trusted CA list. To check this, start mmc.exe, load the certmgr.msc and select "machine account"; then install the required CA.
 
I will include this information in the IIRF documentation. Not sure anyone reads it, but at least I can document it.

comments