During the upgrade to Vault Professional 2026, the pre-check tool fails when IIS is configured with valid HTTPS bindings and an SSL certificate — even when everything is functioning correctly and accessible over HTTPS.
Problem Observed:
The installer attempts to access the file:
http://localhost:443/TestASP/TestASPNetStatic.txt
This is an invalid use of port 443, which is reserved for HTTPS.
This causes a false failure in the pre-check step "Checking ASP Status", even though:
IIS bindings are correctly set to "All Unassigned"
HTTPS is enabled and working
The certificate is valid and trusted under its assigned domain
Root Cause:
The pre-check tool is hardcoded to test localhost over HTTP, even when SSL is enabled.
It does not validate or accept HTTPS responses, nor does it adapt to hostname + certificate logic.
Users must resort to a workaround: temporarily removing HTTPS bindings from IIS to pass the installer check, which introduces risk and adds unnecessary steps.
Recommendation:
Update the Vault installer logic to support and properly verify HTTPS bindings.
Adjust the ASP test to use the correct URL scheme:
https://<server-FQDN>/TestASP/TestASPNetStatic.txt
Ensure the pre-check respects:
IIS bindings using "All Unassigned"
SSL certificates matching the FQDN or SAN
Functional HTTPS responses (including from internal or self-signed certificates)
Benefit:
This improvement would streamline enterprise deployments, eliminate unnecessary workarounds, and align Vault installation workflows with modern IT and security standards.
