SSL Host Header Problem in IIS 6.0
Hi, I'm having some trouble getting the SSL certificate on our IIS 6.0 site working.
I generated a CSR and got the certificate, installed it in the Certificates snap in as usual and added using the directory security tab in IIS manager like normal.
I then entered the command line command from the adminscripts folder to make SSL work with a host header where the two arguments are changed for the site:
cscript.exe adsutil.vbs set /w3svc/xxxxxxxxxx/SecureBi
For some reason the darn thing won't work! I even checked the internet DNS server to make sure the A record was in there for the domain and it sure is.
I've verified the certificate is installed and valid. The SecureBindings command went through just fine and says the header is added.
I'm not using a wildcard certificate, just a single common name certificate, but this should still work since I entered the secure bindings command for the matching host header.
It still won't work. Any ideas? Maybe this relates to the problem I'm having in question 22880718.
I generated a CSR and got the certificate, installed it in the Certificates snap in as usual and added using the directory security tab in IIS manager like normal.
I then entered the command line command from the adminscripts folder to make SSL work with a host header where the two arguments are changed for the site:
cscript.exe adsutil.vbs set /w3svc/xxxxxxxxxx/SecureBi
For some reason the darn thing won't work! I even checked the internet DNS server to make sure the A record was in there for the domain and it sure is.
I've verified the certificate is installed and valid. The SecureBindings command went through just fine and says the header is added.
I'm not using a wildcard certificate, just a single common name certificate, but this should still work since I entered the secure bindings command for the matching host header.
It still won't work. Any ideas? Maybe this relates to the problem I'm having in question 22880718.
ASKER
the page errors out as if nothing was there. page cannot be found - instantaneously.
This is the only site on 443. IIS 6.0 doesn't support multiple SSL sites on 1 IP address because HTTPS doesn't do host headers... I know.
Any ideas?
This is the only site on 443. IIS 6.0 doesn't support multiple SSL sites on 1 IP address because HTTPS doesn't do host headers... I know.
Any ideas?
firewall? antivirus?
try hitting the web server with a telnet client:
telnet secure.mysite.com 443
you should expect the client to connect (that is you'll see a blank screen - hit enter a few times to get some garbage response) rather than the telnet client failing to connect.
If the telnet client can't connect, then there is probably a firewall issue.
To be sure that IIS is listening, execute "netstat -a -n" and look for listening activity on port 443
Cheers.
try hitting the web server with a telnet client:
telnet secure.mysite.com 443
you should expect the client to connect (that is you'll see a blank screen - hit enter a few times to get some garbage response) rather than the telnet client failing to connect.
If the telnet client can't connect, then there is probably a firewall issue.
To be sure that IIS is listening, execute "netstat -a -n" and look for listening activity on port 443
Cheers.
ASKER
Yes, I am getting a connection.
I ran netstat and 443 is listening.
What's going on?
I ran netstat and 443 is listening.
What's going on?
then maybe you don;t have a default document set or existing. try accessing some explicit file, e.g. http://secure.mysite.com/index.html or something like that.
Cheers.
Cheers.
ASKER
This works over HTTP, but not HTTPS. Any file will work on HTTP with the subdomain "Secure" but whenever SSL is used, nothing works.
I'm not sure that you installed the cert properly...
did you get a SERVER certificate? (not a client cert!)
what do you see in IIS manager, right click web site, choose properties, directory security tab, then click 'view certificate'
cheers.
did you get a SERVER certificate? (not a client cert!)
what do you see in IIS manager, right click web site, choose properties, directory security tab, then click 'view certificate'
cheers.
ASKER
Yes, I got a verisign certificate for a webserver using the CSR. I've done this at least 20 times and know how to do it. In this particular instance, however, I can't figure out what's wrong.
The certificate is installed and IIS shows it.
The certificate is installed and IIS shows it.
OK, I'm running out of ideas.
examine, the list of web sites by opening IIS manager, click on the 'web sites node' and adjust the window size so that you can see all the IP address, http port and https port details.
make sure that they are all unique.
Cheers.
examine, the list of web sites by opening IIS manager, click on the 'web sites node' and adjust the window size so that you can see all the IP address, http port and https port details.
make sure that they are all unique.
Cheers.
ASKER
I have done this and this is the case. They are all unique. I've definitely never seen this problem before....
OK, then I suggest that you reinstall the cert by using the IIS admin gui rather than adsutil - the hostname is not required as part of the secure indings, and so there may be some issue in that.
Cheers!
Cheers!
ASKER
I just did that. Nothing happened. No difference at all. I even restarted IIS.
:(
:(
try download the IIS6 resource kit, and run the SELFSSL utility on that web site. See if it gets your https going. If so, then apply the real certificate using the GUI again.
cheers.
cheers.
First, IIS 6.0 *does* support the use of SSL with Host Headers after Windows 2003 SP1 is installed as long as all the sites can be covered with one (generally wildcard) certificate.
Since this is the only site using SSL you shouldn't specify a Host Header in the SecureBindings - especially if you don't have SP1 or later installed.
Second, this statement concerns me:
"I generated a CSR and got the certificate, installed it in the Certificates snap in as usual and added using the directory security tab in IIS manager like normal."
This is not the normal procedure for installing the certificate you get back after generating a CSR from the IIS wizard. This is how you delete the pending request and end up with a certificate with no private key. If you view the certificate in the MMC does it say it has a private key associated with it?
Dave Dietz
Since this is the only site using SSL you shouldn't specify a Host Header in the SecureBindings - especially if you don't have SP1 or later installed.
Second, this statement concerns me:
"I generated a CSR and got the certificate, installed it in the Certificates snap in as usual and added using the directory security tab in IIS manager like normal."
This is not the normal procedure for installing the certificate you get back after generating a CSR from the IIS wizard. This is how you delete the pending request and end up with a certificate with no private key. If you view the certificate in the MMC does it say it has a private key associated with it?
Dave Dietz
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your architecture sounds valid and should work. I can't think of any more straightforward way to go about it.
As far as it being the 'correct' way, any way that works is correct. :-)
Dave Dietz
As far as it being the 'correct' way, any way that works is correct. :-)
Dave Dietz
ASKER
Sweet! I got it all setup and it works already.
Hey though... I have another question you worked on a bit a few months ago that still hasn't been resolved... it's kind of annoying... check it out again. The question is 22880718.
I CANNOT get the host header for the main domain on the server setup with the IP address. Well, I set it up but NO MATTER WHAT when you browse to the server via the IP address (even though there's a host header in there for it) you get the Bad Request (Invalid Hostname) error. >:(
Thanks for the help on this one though!
Hey though... I have another question you worked on a bit a few months ago that still hasn't been resolved... it's kind of annoying... check it out again. The question is 22880718.
I CANNOT get the host header for the main domain on the server setup with the IP address. Well, I set it up but NO MATTER WHAT when you browse to the server via the IP address (even though there's a host header in there for it) you get the Bad Request (Invalid Hostname) error. >:(
Thanks for the help on this one though!
ASKER
Hey Dave -- one more question on this one -- how would YOU do that as far as the SSL/subdomain goes (completely disregarding what I did)? You're the expert, I want to learn from you.
so what do you actually mean when you say "It still won't work"? What do you see when you try to access http://secure.mysite.com?
like, does it time out, or show you some other web site that you expected, or display an error? if an error, what is it?
You do realise that you can only have one web site configured on port 443 for a given ip address I guess?
You should look at all the web sites on your server, and blank out the ssl port (or set to some other value) except for the one you want to use.
You may as well remove the hostname part - that is not used in this situation.
\