?
Solved

SSL Host Header Problem in IIS 6.0

Posted on 2007-10-17
19
Medium Priority
?
1,614 Views
Last Modified: 2009-12-30
Hi, I'm having some trouble getting the SSL certificate on our IIS 6.0 site working.

I generated a CSR and got the certificate, installed it in the Certificates snap in as usual and added using the directory security tab in IIS manager like normal.

I then entered the command line command from the adminscripts folder to make SSL work with a host header where the two arguments are changed for the site:

cscript.exe adsutil.vbs set /w3svc/xxxxxxxxxx/SecureBindings ":443:secure.mysite.com"

For some reason the darn thing won't work! I even checked the internet DNS server to make sure the A record was in there for the domain and it sure is.

I've verified the certificate is installed and valid. The SecureBindings command went through just fine and says the header is added.

I'm not using a wildcard certificate, just a single common name certificate, but this should still work since I entered the secure bindings command for the matching host header.

It still won't work. Any ideas? Maybe this relates to the problem I'm having in question 22880718.

0
Comment
Question by:Pugglewuggle
  • 9
  • 7
  • 2
18 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 20099822
Hello,

so what do you actually mean when you say "It still won't work"?  What do you see when you try to access http://secure.mysite.com?

like, does it time out, or show you some other web site that you expected, or display an error?  if an error, what is it?

You do realise that you can only have one web site configured on port 443 for a given ip address I guess?

You should look at all the web sites on your server, and blank out the ssl port (or set to some other value) except for the one you want to use.

You may as well remove the hostname part - that is not used in this situation.
\
0
 
LVL 12

Author Comment

by:Pugglewuggle
ID: 20101253
the page errors out as if nothing was there. page cannot be found - instantaneously.

This is the only site on 443. IIS 6.0 doesn't support multiple SSL sites on 1 IP address because HTTPS doesn't do host headers... I know.

Any ideas?
0
 
LVL 37

Expert Comment

by:meverest
ID: 20104860
firewall?  antivirus?

try hitting the web server with a telnet client:

telnet secure.mysite.com 443

you should expect the client to connect (that is you'll see a blank screen - hit enter a few times to get some garbage response) rather than the telnet client failing to connect.

If the telnet client can't connect, then there is probably a firewall issue.

To be sure that IIS is listening, execute "netstat -a -n" and look for listening activity on port 443

Cheers.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 12

Author Comment

by:Pugglewuggle
ID: 20104889
Yes, I am getting a connection.

I ran netstat and 443 is listening.

What's going on?
0
 
LVL 37

Expert Comment

by:meverest
ID: 20105007
then maybe you don;t have a default document set or existing.  try accessing some explicit file, e.g. http://secure.mysite.com/index.html or something like that.

Cheers.
0
 
LVL 12

Author Comment

by:Pugglewuggle
ID: 20113720
This works over HTTP, but not HTTPS. Any file will work on HTTP with the subdomain "Secure" but whenever SSL is used, nothing works.
0
 
LVL 37

Expert Comment

by:meverest
ID: 20114067
I'm not sure that you installed the cert properly...

did you get a SERVER certificate?  (not a client cert!)

what do you see in IIS manager, right click web site, choose properties, directory security tab, then click 'view certificate'

cheers.
0
 
LVL 12

Author Comment

by:Pugglewuggle
ID: 20115914
Yes, I got a verisign certificate for a webserver using the CSR. I've done this at least 20 times and know how to do it. In this particular instance, however, I can't figure out what's wrong.

The certificate is installed and IIS shows it.
0
 
LVL 37

Expert Comment

by:meverest
ID: 20116399
OK, I'm running out of ideas.

examine, the list of web sites by opening IIS manager, click on the 'web sites node' and adjust the window size so that you can see all the IP address, http port and https port details.

make sure that they are all unique.

Cheers.

0
 
LVL 12

Author Comment

by:Pugglewuggle
ID: 20172280
I have done this and this is the case. They are all unique. I've definitely never seen this problem before....
0
 
LVL 37

Expert Comment

by:meverest
ID: 20173543
OK, then I suggest that you reinstall the cert by using the IIS admin gui rather than adsutil - the hostname is not required as part of the secure indings, and so there may be some issue in that.

Cheers!
0
 
LVL 12

Author Comment

by:Pugglewuggle
ID: 20173774
I just did that. Nothing happened. No difference at all. I even restarted IIS.

:(
0
 
LVL 37

Expert Comment

by:meverest
ID: 20174099
try download the IIS6 resource kit, and run the SELFSSL utility on that web site.  See if it gets your https going.  If so, then apply the real certificate using the GUI again.

cheers.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 20462135
First, IIS 6.0 *does* support the use of SSL with Host Headers after Windows 2003 SP1 is installed as long as all the sites can be covered with one (generally wildcard) certificate.

Since this is the only site using SSL you shouldn't specify a Host Header in the SecureBindings - especially if you don't have SP1 or later installed.

Second, this statement concerns me:
"I generated a CSR and got the certificate, installed it in the Certificates snap in as usual and added using the directory security tab in IIS manager like normal."

This is not the normal procedure for installing the certificate you get back after generating a CSR from the IIS wizard.  This is how you delete the pending request and end up with a certificate with no private key.  If you view the certificate in the MMC does it say it has a private key associated with it?

Dave Dietz
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 0 total points
ID: 20462895
Hi Dave, thanks so much for responding after so long! I had read somewhere that that was the case but it could be circumvented...

The certificate does have a CSR associated with it, yes. The certificate is from a public CA and is correctly installed.

I was just thinking (and I have NO idea why this did not occur to me before) but is the correct way to setup a subdomain with a secure certificate to create the subdomain as a seperate site in IIS, generate a CSR with THAT site and then rekey the certificate, install it, and the create a virtual directory in that site (the subdomain site) the links to the global resources folder in the main site?

Thus I would actually create a seperate site : secure.whatever.tld
and install a certificate there (adding a VD to that site in IIS manager that links to the global folder in the main site).

Am I thinking in the right direction? Is this the way to do it? Is this how you'd do it?

P.S. Can't wait for Server 2008 and the native SSL host header support!

Thanks so much for responding!
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 20462960
Your architecture sounds valid and should work.  I can't think of any more straightforward way to go about it.

As far as it being the 'correct' way, any way that works is correct.  :-)

Dave Dietz



0
 
LVL 12

Author Comment

by:Pugglewuggle
ID: 20463127
Sweet! I got it all setup and it works already.

Hey though... I have another question you worked on a bit a few months ago that still hasn't been resolved... it's kind of annoying... check it out again. The question is 22880718.

I CANNOT get the host header for the main domain on the server setup with the IP address. Well, I set it up but NO MATTER WHAT when you browse to the server via the IP address (even though there's a host header in there for it) you get the Bad Request (Invalid Hostname) error. >:(

Thanks for the help on this one though!
0
 
LVL 12

Author Comment

by:Pugglewuggle
ID: 20463145
Hey Dave -- one more question on this one -- how would YOU do that as far as the SSL/subdomain goes (completely disregarding what I did)? You're the expert, I want to learn from you.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Integration Management Part 2
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question