Internet Information Services
Microsoft web server software.
1,583 questions
Just an update:
If we regenerate a certificate on the same system, certificate with <% will still be generated.
Certificate with "<%" cannot be regocnized in IIS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 27%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECL%3C/text%3E%3C/svg%3E)
Chu, Ling Rui
1
Reputation point
Hello,
Currently we put a certificate into an IIS and try to download it by Invoke-WebRequest.
The download failed and turns out to be due to the certificate contains "<%". 
Manually read by http also failed with 500:
Other certificate without this "<%" can be downloaded.
Any suggestion on this issue?
Thanks in advance.
Chu Ling Rui
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 70%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYD%3C/text%3E%3C/svg%3E)
Yurong Dai-MSFT 2,781 Reputation points Microsoft Vendor2022-09-16T07:02:36.863+00:00 Hi @Chu, Ling Rui ,
Did you get any error message when the download failed? How did you know that the certificate download failed because the certificate with "<%" could not be re-recognized in IIS? Any hints? -
Chu, Ling Rui 1 Reputation point
2022-09-16T07:27:41.863+00:00 Hi YurongDai,
Thanks for your reply.
The error message in IIS is GET |14|ASP_0116|Missing_close_of_script_delimiter - 10.205.66.12 - 500.
As for how do we discover "<%", we found some hint from the Internet and finally found .cer file with "<%" cannot be visited by IIS(without any MIME setting here.)
If we change the .cer into .txt or .crt, everything will be fine. Seems just the .cer issue in IIS.Currently we find two way to do it, maybe we can call it the workaround:
- firstly run DISM /online /disable-feature /featurename:IIS-ASP and set cer=>text/plain, the .cer with "<%" could be downloaded.
- change the .cer into .crt
Any suggestion on the solution for it?
Sign in to comment
4 answers
Sort by: Oldest
-
Chu, Ling Rui 1 Reputation point
2022-09-15T10:31:33.037+00:00 -
Chu, Ling Rui 1 Reputation point
2022-09-16T06:24:06.71+00:00 Hello,
This 3C 25 is static IP on the site, no way to change it.
Any good way to fix this issue?Thanks in advance.
ChuLingRui -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Limitless Technology 43,941 Reputation points2022-09-16T09:00:50.907+00:00 Hello there,
The first thing that has to be checked is whether the website is accessible over http. You will need to have the website working on http first before continuing with this troubleshooter.
There could be many reasons. We will follow a step-by-step approach to solve this problem.
Troubleshooting SSL related issues (Server Certificate) https://learn.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-ssl-related-issues-server-certificate
---------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
-
Chu, Ling Rui 1 Reputation point
2022-09-16T09:05:25.41+00:00 Hello,
Http works now. We can download the .cer if we manually change <% into < or % in the .cer file. And other .cer without the <% can be downloaded too.
And even we do not use https here but http, the same issue exists. We may try to follow the troubleshooting link you provided. Thanks for this.
Currently we may think this is a bug.
Sign in to comment -
-
MotoX80 31,581 Reputation points2022-09-16T12:43:45.097+00:00 The problem is that IIS's default handler mapping for .cer files is asp.dll. IIS is trying to "run" your cer file. You need to have .cer files treated as a StaticFile.
At the web site level, rename .cer to .cer-save or something like that.
Then in the mime type definitions, add an entry for .cer files for application/octet-stream.
Note: I don't know why the default IIS config is defined like that. Do this on a test server first to verify that it doesn't impact HTTPS sites.
PS C:\> Invoke-WebRequest localhost/test.cer StatusCode : 200 StatusDescription : OK Content : {60, 37, 32, 32...} RawContent : HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 343 Content-Type: application/octet-stream Date: Fri, 16 Sep 2022 13:06:47 GMT ETag: "6d1e2cb1c2c9d81:0" Last-Modified: Fri, 16 Sep 2022 11:5... Headers : {[Accept-Ranges, bytes], [Content-Length, 343], [Content-Type, application/octet-stream], [Date, Fri, 16 Sep 2022 13:06:47 GMT]...} RawContentLength : 343-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 1%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELC%3C/text%3E%3C/svg%3E)
LingRui Chu 1 Reputation point2022-09-19T06:06:56.89+00:00 @MotoX80 Thank you so much for this information. This helps a lot.
This explains why .crt file with the same content is OK to be downloaded while .cer couldn't.
.crt is treated as StaticFile while .cer is treated by asp.dll as SecurityCertificate by default.
And this we-do-not-know-why default configuration comes from enabling ASP features.Since we have no idea about the default configuration, I guess we may try the safer way by renaming .cer to .crt.
Sign in to comment -