C# SSL IIS7 Problem

I was created and installed a public SSL certificate to one of my websites in IIS7. I have now the problem that other websites are redirected to this, if anyone tries those domains with https://. This is extremely bad and causes me to remove the SSL until I found a solution,

Please help me with this.

First I though i could programically redirect the visitors by Global.Asax, but the SSL is of course being checked before any website-application-code are running.
Who is Participating?
meverestConnect With a Mentor Commented:

OK, so I think you are clarifying what I originally thought you meant.


>> But know, I want to add a SSL / https to www.domain3.com

straight out, no ifs no buts: you CAN NOT do it.  ssl certs are locked to the domain -> *.domain.com and only one cert can be applied to one IP address (and port - i.e. 443)

You can do it with SUBDOMAIN (www.domain1.com, domain2.domain1.com, domain3.domain1.com...)

You can do it with different port, e.g: https://www.domain1.com, https://www.domain2.com:444, https://www.domain3.com:445, ...

but you can't do it otherwise.

>> I also force http users redirected into https if they try to visit http (global.asax).

in which case you may like to try including the port definition (444, 445, etc as above) in the redirect.

>> I'm not concerned that users see a warning message.

Then you can still use my original scheme to work around this.

if a user tries to access https://www.domain2.com, then get the error message.  Those who dare to continue will be redirected to http://www.domain2.com, and if you have your redirection happening to force to ssl, then force them to https://www.domain2.com:444 - all good

So the result will be that an error is displayed ONLY when someone intentionally (manually by hand) enters the https://www.domain2.com into the web browser (i/e/ without the :444 on the end) and even then, the correct site is displayed in the end - they should never see the http://www.domain1.com content - or only for a flash of a split second if at all)

>> Verrrryyy poooor design......

are you referring to the web server design?  It's not a software issue - it's a protocol limitation, for all the reasons (catch22) that I explained above.  It is therefore a limitation shared by /all/ web server implementations, not just IIS.

IIS can only listen on 1 IP address per SSL certificate. So you need to put all your non SSL websites on a different IP address.

dingirAuthor Commented:
I know, but how? And where are the work-arounds..
This is a VPS.. I don't know about ip adresses here.
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

There isn't any workaround that I know of.

You simply need to get another public IP address from your ISP and assign ton your server.
You then need to reconfigure DNS for the websites you want to use the new IP.
Then configure IIS to use the new IP address (for the websites you want on the new IP).

In IIS7 you have to select the server name and then go to server certificates and  Install the certificate . Then you have to select the website and go to bindings and then select https and selct the certificte there itself. In this way you can bind https to your required web sites only.
dingirAuthor Commented:
Thank's for reply. It's superclear how I install the certficates, however the one and only cert will affect all domains if they are visited with https.

I feel there are no work-around. I readed something about ssl-headers that are per-site-based, but don't find correct or enough information about it.

I feel that's a very uncomfortable scenario. Like I can force a website to use SSL / 128 bit, i must also be able to FORCE a website to not use ssl, so if visited with https and don't correspond to the certficates URL, just bring it down to http scheme or drop the connection.. why not?
Then Probably you are running all your sites in IP based, try configuring the sites with host based configurations.

DId you created all your websites under default website as virtual directories?
dingirAuthor Commented:
Answer is no, on your second question,

what you mean with host based?
dingirAuthor Commented:
No more info about this?

the only way that I can think of that will hide the ssl site when someone uses a hostname that is used by a different site is to test for hostname on every page (like in a global.asa type script) and then redirect if it is not the hostname intended for that site, something like:

<script type="javascript">
if( document.domain != 'www.mysslsite.com') document.location.href='http://'+document.domain

add this code to the top of EVERY page in www.mysslsite.com, and then if someone happens to load it as (for example) https://www.othersite.com, then they will automatically jump to http://www.othersite.com

You might even be able to do it with an ISAPI redirect like isapiRewrite or IIS URLrewrite module which would let you do it without javascript (and without needing to modify every page) but a) I'm not sure if it will work, and b) it is easier to do it with javascript if you have a global script you can stick it into!

dingirAuthor Commented:

I tried the global, but the iis website content aren't loaded at all at the time of checking the ssl state. It will check the valid state and then redirect to the url of ssl certificate.

Maybe wildcard ssl could be used, referring the user to a subdomain of the ssl certificate and redirect from there...

I feel all this like: You need an own ip to each ssl sites & non-ssl sites if using IIS.

>> I tried the global, but the iis website content aren't loaded at all at the time of checking the ssl state. It will check the valid state and then redirect to the url of ssl certificate.

Oh... right - I didn;t understand what you meant by this:

>> redirect the visitors by Global.Asax, but the SSL is of course being checked before any website-application-code are running.

until now - I understand now that you are concerned that the end user sees a message about certificate does not match the domain, right?  But if the ssl site is not relevant to the site that the user is attempting to access, does it really matter about that?  The only way that a user will see that message is if they accidentally (or intentionally!) enter https://someothersite instead of http...  So if there is no https site existing for that site, why do you care that it shows a message?

And now I also agree with previous comments of other experts (sorry all, for missing the POINT! ;-)

There is no way that you can avoid that warning.  reason: that warning is a function of the client browser, and the server side has absolutely no bearing on that behaviour.

Always remember this about SSL and host headers:

when the ssl connection is made, the session is encrypted.  The host header (i.e. which web site hostname is requested) is also encrypted.  The server must first decrypt the content to discover what web site to load.  But the server must select a certificate to decrypt the content.  catch22 - how can the server select which certificate if it doesn't yet know what host header is in the request?  answer: it can only select the certificate based on the IP address and port that it receives the connection on, because that is the only detail 'in the clear' (other than the CLIENT IP address and port, of course)

So when a client sends an (encrypted) request for https://www.site1.com, and gets a reply from the server saying 'this is the encyption key for https://www.site2.com, then the browser baulks with what is essentially "HEY!  I want to access site1, but this server says it is site2!  Something dodgy is going on here!" ;-)

Sorry, but sometimes the 'correct' answer to a question like "how can i..." is quite simply "you can't" :-}

wildcard ssl - YES, you can do that but all web sites must share a common domain, like www.site1.com, site2.site1.com, site3.site1.com, ...

in which case you can do normal host header assignment using IIS bindings:


dingirAuthor Commented:

Thank's. A lot of info. Bot interesting and also some that aren't fully correct understanded.

I'm not concerned that users see a warning message.

I have an iis with several standard http websites


But know, I want to add a SSL / https to www.domain3.com

Which make domain3.com works with ssl.
I also forse http users redirected into https if they try to visit http (global.asax).

The problem IS, that when SSL is exist, users (without any knowledge about the existens of https://www.domain3.com) WILL try https://www.domain1.com, https://www.domain2.com and https://www.domain4.com.

They recieve the error message, think "what the hell, is this place unsafe?". Some of them who dare to continue, will land on the iis website that have the ssl-certificate attached. Which means WRONG site. They visit domain4.com and landing on domain3.com.

Verrrryyy poooor design......
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.