Yesterday I tried to make our site server and distribution points SSL. There are a ton of guides on the internet for how to do this. I think i ended up using this one: https://sccmguy.com/2013/11/26/pki-certificates-for-configuration-manager-2012-r2-part-1-of-4-web-server-certificate/. However, when we were done, client communication stopped. Some of the relevant logs:
Successfully queued event on HTTP/HTTPS failure for server 'XXX'.
Post to https://XXX/ccm_system_windowsauth/request failed with 0x87d00231.
Error: Server certificate retrieved in TLS is not an exact match of the current MP encryption certificate.
Error: 0x80090322 authenticating server credentials!
Failed to signin bgb client with error = 80090322.
Fallback to HTTP connection.
[CCMHTTP] ERROR: URL=http://1982-X-MP-1-P01.xactware.com/bgb/handler.ashx?RequestType=LogIn, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE (EDIT: MANAGEMENT POINT IS ACCEPTING HTTPS ONLY SO I EXPECTED THIS ONE)
Selected certificate [thumbprint] issued to 'XXX' for HTTPS client authentication
Call to HttpSendRequestSync failed for port 443 with status code 403; text: Forbidden
To me this looks like a certificate issue. However, no matter what I've tried (added a common name in addition to the DNS name in the certificate, deleted and enrolled again for client and server side certificates, reinstalling the management point, 5 hours of other things I don't remember) I can't rid of this error.
Aside from binding the SSL cert to the default website in IIS, is there anything else that needs to be done in IIS? Am I missing something else?
Appreciate any pointers,