Clients not getting self singed certs

[TeachMeSCCM]

So I have two servers

One I think it was created and the other I copied it; can i just delete them both and have them re created 

So my 01 has this

IF I set it to check box I can go to browse 403 and takes me the IIS page ie it works  

 

My 02

 

Still gives me this and when I go to the browse the 403 web page to check the cert

 

This is my 02 this is my IIS page so there is an issue I still have this error I only have 1 thing to Select for the SMS Role SSL Certificate? 

 

I'm going to try to reinstall some clients on my 01 and see if takes 

Let me know thanks for the help so far. This is such a mess.

Edited September 17, 2021 by TeachMeSCCM

[SCCMentor]

I tested this. I unchecked the box to remove eHTTP. I deleted the SMS Role SSL Certificate certificate from local machine. I wasn't able to select Not Selected - greyed out like you said. I then re-enabled eHTTP, it recreated the SMS Role SSL Certificate and I then set this in IIS.

[TeachMeSCCM]

When you say you deleted your I deleted the SMS Role SSL Certificate certificate from local machine this is from the Server

This would be the one in the SMS folder? Personal Folder? Or Secure Folder?

Can you show me on the MMC I think I need to do this; also when I go to binding do I need to have the Server host name here? and have Required Server Name Checked 

I noticed when I did I was able to browse to port 443 via the IIS but like i said my 02 I'm unable to.

 

My 01 issuer of the certificate could not be found but works via IIS

My 02 this certificate is ok runs into error browse via IIS

I'm thinking the 02 still has my copy and i just need to delete it and re do it; I'm still getting the same errors installing on my 01 might try a reboot after hours and report back

 

[TeachMeSCCM]

So i went ahead and deleted the old certs and did what SCCMentor said to delete the EHTTP with the Site Check and ensure a new SMS role is install.  what's strange is my 02 will recreate the SSM Role SSL Certificate  and auto re add it; my 01 i have to manually import it but it does re add.

They both give me cert errors when going to 443 via IE see screen shot above.

This is on my 02 fresh install client after cleanup

 

Both of the SMS Role SSL Certifcate give me

Is there any setting in IIS I am missing? Most are check to ignore certificate 

 

 

 

I was not getting Retrieved key 'ConfigMgrPrimaryKey' from provider Microsoft Software Key Storage Provider    ClientIDManagerStartup    9/19/2021 9:41:57 PM    6352 (0x18D0)

This is good. I also see it gets a SMS cert but it still never finishes the setup and still shows up Certificate None

I doubled checked and this is good as my

http://mysccm/sms_mp/.sms_aut?mplist goes to the XML file on both of my servers

http://mysccm/sms_mp/.sms_aut?mpcert works on both of my servers goes the the MPcertificate path with the long text

 

Just kind of stuck on what to try next.

 

 

Edited September 20, 2021 by TeachMeSCCM
Added more info

[TeachMeSCCM]

Here is my CCmexec log from one of my failed cert clients

 

 

This Error registering hosted class '{53C46006-E1C5-4AD1-89B3-B8332D1B17EA}'. Code 0x80040111    CcmExec    9/20/2021 3:44:53 PM    15444 (0x3C54)

This Error registering hosted class Code 0x80040111 

This doesn't not give me much to work out; been looking for all articles on this error goes back to mp issues.

I will try another Management Point reinstall as from my last set of logs the certs look like they are applying. 

[TeachMeSCCM]

So I reinstalled both MP's one I did the HTTPS to HTTP and my main wouldn't take so I completed deleted via the SCCM console and re added it

Was getting the same errors So i went back to the tell it to look for the SMS string under the PKI and also without both give me the same type of errors

 

Here is the SMS

Just sits and never registers the client. Client Certificate None

Here is the CCMecec on the SMS

 

This a Failed to raise pending event as ClientID is not available, I have looked and not found many working links for this issue.

 

Same Error type of my other machine

 

Same Ccmexec.log error

 

Two different machines 

[TeachMeSCCM]

So I wasn't getting anywhere with the self singed so I changed over to HTTPS and did the full patchmypc PKI guide

 

 

Can you confirm it's getting the PKI cert correctly here also it's still stuck on Client registration. I'm going to do a reboot after hours to see if that will fix the issue. 

I think the PKI is working from this log; I'm able to view the IIS from each site goes to the correct page boundries are good. I hope I don't have a messed up IIS setting or something

I did changed over the required SSL cert and set the correct certs to ignore. 

[anyweb]

take a look at my two posts here, they cover everything you need to convert to https, they'll cover a bit more than Justins excellent video, so do please verify you didn't miss anything

• How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1
• How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2

also, keep in mind that certs can expire, and when they do you'll have issues, like this

https://www.niallbrady.com/2020/08/16/how-can-i-replace-an-expired-iis-certificate-in-a-pki-enabled-configmgr-environment/

if you want to really test PKI is working then try pxe boot (operating system deployment), if it fails you'll see it failing quickly in the logs, and that'll be a clue that you've missed something,

also, on PKI managed clients, your configmgr client agent should report that the client is PKI, like this...

[TeachMeSCCM]

I was still getting the same clients just never installing just sitting on registration even with PKI

I even manually added the PKI from AD and the clients did the same thing; as I posted above so i went back to E http and it's still doing the same thing.

I'm trying to get someone at Microsoft support to help me out; running out of ideas before I have to just scrap this and rebuild.

[TeachMeSCCM]

Question i did the whole reinstall this is NONE pki; i'm staying with EHTTP as I can't open my pki stuff with our network team at this time. Why do I have a cert under the SMS I had the system recreate it; still getting the same errors

 

Small update I have a pending ticket with MS support about this and noticed another person reddit with the same issue as me; I think it has to do with the certs expiring and not being created correctly. Still fishing for more. But I'll update this thread so once I get it solved with a solution. I'm still open to ideas. Ms support is a bit slow.