• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1622
  • Last Modified:

SSL Host Header Problem in IIS 6.0

Hi, I'm having some trouble getting the SSL certificate on our IIS 6.0 site working.

I generated a CSR and got the certificate, installed it in the Certificates snap in as usual and added using the directory security tab in IIS manager like normal.

I then entered the command line command from the adminscripts folder to make SSL work with a host header where the two arguments are changed for the site:

cscript.exe adsutil.vbs set /w3svc/xxxxxxxxxx/SecureBindings ":443:secure.mysite.com"

For some reason the darn thing won't work! I even checked the internet DNS server to make sure the A record was in there for the domain and it sure is.

I've verified the certificate is installed and valid. The SecureBindings command went through just fine and says the header is added.

I'm not using a wildcard certificate, just a single common name certificate, but this should still work since I entered the secure bindings command for the matching host header.

It still won't work. Any ideas? Maybe this relates to the problem I'm having in question 22880718.

0
Pugglewuggle
Asked:
Pugglewuggle
  • 9
  • 7
  • 2
1 Solution
 
meverestCommented:
Hello,

so what do you actually mean when you say "It still won't work"?  What do you see when you try to access http://secure.mysite.com?

like, does it time out, or show you some other web site that you expected, or display an error?  if an error, what is it?

You do realise that you can only have one web site configured on port 443 for a given ip address I guess?

You should look at all the web sites on your server, and blank out the ssl port (or set to some other value) except for the one you want to use.

You may as well remove the hostname part - that is not used in this situation.
\
0
 
PugglewuggleAuthor Commented:
the page errors out as if nothing was there. page cannot be found - instantaneously.

This is the only site on 443. IIS 6.0 doesn't support multiple SSL sites on 1 IP address because HTTPS doesn't do host headers... I know.

Any ideas?
0
 
meverestCommented:
firewall?  antivirus?

try hitting the web server with a telnet client:

telnet secure.mysite.com 443

you should expect the client to connect (that is you'll see a blank screen - hit enter a few times to get some garbage response) rather than the telnet client failing to connect.

If the telnet client can't connect, then there is probably a firewall issue.

To be sure that IIS is listening, execute "netstat -a -n" and look for listening activity on port 443

Cheers.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
PugglewuggleAuthor Commented:
Yes, I am getting a connection.

I ran netstat and 443 is listening.

What's going on?
0
 
meverestCommented:
then maybe you don;t have a default document set or existing.  try accessing some explicit file, e.g. http://secure.mysite.com/index.html or something like that.

Cheers.
0
 
PugglewuggleAuthor Commented:
This works over HTTP, but not HTTPS. Any file will work on HTTP with the subdomain "Secure" but whenever SSL is used, nothing works.
0
 
meverestCommented:
I'm not sure that you installed the cert properly...

did you get a SERVER certificate?  (not a client cert!)

what do you see in IIS manager, right click web site, choose properties, directory security tab, then click 'view certificate'

cheers.
0
 
PugglewuggleAuthor Commented:
Yes, I got a verisign certificate for a webserver using the CSR. I've done this at least 20 times and know how to do it. In this particular instance, however, I can't figure out what's wrong.

The certificate is installed and IIS shows it.
0
 
meverestCommented:
OK, I'm running out of ideas.

examine, the list of web sites by opening IIS manager, click on the 'web sites node' and adjust the window size so that you can see all the IP address, http port and https port details.

make sure that they are all unique.

Cheers.

0
 
PugglewuggleAuthor Commented:
I have done this and this is the case. They are all unique. I've definitely never seen this problem before....
0
 
meverestCommented:
OK, then I suggest that you reinstall the cert by using the IIS admin gui rather than adsutil - the hostname is not required as part of the secure indings, and so there may be some issue in that.

Cheers!
0
 
PugglewuggleAuthor Commented:
I just did that. Nothing happened. No difference at all. I even restarted IIS.

:(
0
 
meverestCommented:
try download the IIS6 resource kit, and run the SELFSSL utility on that web site.  See if it gets your https going.  If so, then apply the real certificate using the GUI again.

cheers.
0
 
Dave_DietzCommented:
First, IIS 6.0 *does* support the use of SSL with Host Headers after Windows 2003 SP1 is installed as long as all the sites can be covered with one (generally wildcard) certificate.

Since this is the only site using SSL you shouldn't specify a Host Header in the SecureBindings - especially if you don't have SP1 or later installed.

Second, this statement concerns me:
"I generated a CSR and got the certificate, installed it in the Certificates snap in as usual and added using the directory security tab in IIS manager like normal."

This is not the normal procedure for installing the certificate you get back after generating a CSR from the IIS wizard.  This is how you delete the pending request and end up with a certificate with no private key.  If you view the certificate in the MMC does it say it has a private key associated with it?

Dave Dietz
0
 
PugglewuggleAuthor Commented:
Hi Dave, thanks so much for responding after so long! I had read somewhere that that was the case but it could be circumvented...

The certificate does have a CSR associated with it, yes. The certificate is from a public CA and is correctly installed.

I was just thinking (and I have NO idea why this did not occur to me before) but is the correct way to setup a subdomain with a secure certificate to create the subdomain as a seperate site in IIS, generate a CSR with THAT site and then rekey the certificate, install it, and the create a virtual directory in that site (the subdomain site) the links to the global resources folder in the main site?

Thus I would actually create a seperate site : secure.whatever.tld
and install a certificate there (adding a VD to that site in IIS manager that links to the global folder in the main site).

Am I thinking in the right direction? Is this the way to do it? Is this how you'd do it?

P.S. Can't wait for Server 2008 and the native SSL host header support!

Thanks so much for responding!
0
 
Dave_DietzCommented:
Your architecture sounds valid and should work.  I can't think of any more straightforward way to go about it.

As far as it being the 'correct' way, any way that works is correct.  :-)

Dave Dietz



0
 
PugglewuggleAuthor Commented:
Sweet! I got it all setup and it works already.

Hey though... I have another question you worked on a bit a few months ago that still hasn't been resolved... it's kind of annoying... check it out again. The question is 22880718.

I CANNOT get the host header for the main domain on the server setup with the IP address. Well, I set it up but NO MATTER WHAT when you browse to the server via the IP address (even though there's a host header in there for it) you get the Bad Request (Invalid Hostname) error. >:(

Thanks for the help on this one though!
0
 
PugglewuggleAuthor Commented:
Hey Dave -- one more question on this one -- how would YOU do that as far as the SSL/subdomain goes (completely disregarding what I did)? You're the expert, I want to learn from you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 9
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now