If you find yourself running into this error, here’s one solution that you might not find elsewhere (at least at the time of this writing). Check the SSL Settings > Require SSL checkbox for the SharePoint Web Services site and the SecurityTokenServiceApplication subnode. Make sure that it is unchecked as SharePoint accesses it locally over port 80.
This is an obscure self-own, but if you like to set your IIS configuration via script, it’s easy to accidentally set this and (seemingly) brick your WFE.
I recently ran into the following error while trying to upgrade SharePoint 2016:
Exception: Microsoft.SharePoint.Upgrade.SPUpgradeException: Action 188.8.131.52 of Microsoft.SharePoint.Upgrade.SPIisWebSiteWssSequence failed. —> System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.SharePoint.Upgrade.RemoveAppDataWebConfig.RemoveAppDataEntries(XmlDocument webConfig)….
This update was being run on a farm server that had previously hosted the Central Administration application. When CA had been moved to the new server, the previous CA installation had not been removed yet. Simply running Remove-SPCentralAdministration within a SP Management Shell (likely As Administrator) on the “old” server successfully removed the unused CA installation and allowed the SharePoint upgrade to complete successfully.