Solved

Installing 2 SSL Certificates on IIS6, 2 sites, both show the same Cert

Posted on 2010-09-13
27
1,168 Views
Last Modified: 2012-05-10
Hi Experts,

Scenario: Win2k3 server with IIS6 has about 50 sites running on it.  1 site has had an SSL cert running for a while, no problems.  Just added a new cert for a different IIS website and even though they are both assigned to different IP addresses, the 2nd site seems to be attached to the 1st site's SSL cert ???  

Any clues as to what we're doing wrong, much appreciated.
0
Comment
Question by:jammy-d0dger
  • 16
  • 11
27 Comments
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33661517
Hi,

Did you set both sites up to use host headers and statically assign the the IP Addresses? It sounds like you are using unassigned and no host headers.

1. Open IIS Manager.
2. Right click on the 1st website.
3. Select Properties, then WebSite Tab.
4. Under Web Site Identification, set IP as 1st IP. Don't leave unassigned.
5. Under Web Site Identification, click Advanced
6. Under multiple Identies, click ADD.
7. Set IP as 1st IP, TCP port as 80, and host header as your.domain.com
7. Set IP as 1st IP, TCP port as 443, and host header as your.domain.com

Repeat steps for Website2 using the 2nd IP.

Let us know if this works out.
-Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33661598
thanks for suggestion.  I have done exactly as you suggest.  However, as soon as I set the 1st site to one of the other IP addresses, IIS stops serving the site and gives the 'Bad Request or Invalid Hostname' error!  If I switch back to 'All Unassigned' the site starts working again.  For the sake of clarity I have uninstalled the 2nd site's Cert for now until we can get one site running on an assigned IP.  What do you reckon?
One other thing is that I have just noticed that if we browse to any host header of any of the other websites on the server, using https:// it redirects to the site with the cert installed!  Even though the website in question just has two host headers assigned correctly.
We're doing this perfectly well on another server, 2 sites, 2 SSL certs, both on assigned IPs, however the only difference is that they are the only 2 sites on that box.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33661730
Hi,
Could you do the following for me.
Open CMD and type the following "IISWeb /query /s YOURSERVERNAME >> C:\Location-to-save\IIS_config.txt
This will enumerate all your sites. Then modify teh IIS_config to mask your domain using find/replace and upload it here.
Thank you,
Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33662127
I've exported for the offending site...
iis-config.txt
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33662159
It is not the site i need. I want to see your bindings. - Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33662299
ok, if I run your command line suggestion, I get "This Script does not work with WScript", which is followed by "Would you like to register CScript as your default host for VBScript?"
Is this advisable to do?  And will cause any conflicts that you know of?  This is a live webserver (gulp).
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33662377
Hi,
cscript and wscript is just a script shell. This is no issue here.
To Change the Default Script Host
On initial installation of Windows Script Host, the default script host is WScript. To change it to CScript, type the following at a command line.
cscript //h:cscript

To change the default host from CScript to WScript, type the following at a command line.
cscript //h:wscript  
Cheers, Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33662501
OK, appreciate that you're trying to help, I have run that script but it has over 50 sites listed and I would rather not upload that list for obvious reasons, and a search/replace will take forever, but I can tell you that every site listed has:
IP: ALL
Port: 80
Except for Administration which is on 8099.
 
0
 

Author Comment

by:jammy-d0dger
ID: 33662516
BTW: I search for 443 as a string and it doesn't appear in the file.  Is that normal?
0
 

Author Comment

by:jammy-d0dger
ID: 33662536
If I set the site in question to an assigned IP, it does show up as such in the list, (192.168.3.99), default IP is 192.168.3.100
however, as mentioned above, the site then stops working with 'Bad Request or Invalid Hostname' until switched back to 'ALL'
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33662603
what is you DNS set to?
Open CMD and type "nslookup your.domain.com"
Does it return 192.168.3.99?
Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33662690
no, it returns the external facing public IP.  We have one external IP being forwarded by our firewalls to the 2 internal IPs on the 3.xx range.
I did think this might be a problem, but the otehr server I mentioned earlier works fine with this configuration.
Out of interest, would it be worth putting a HOSTS entry in for the domain, with 192.168.3.99 ?
One other thought, if I'm setting one site to an assigned IP in IIS, does this mean I shoudl be setting all the other sites to the other, default IP, or is it ok to leave them all as 'All Unassigned' ?
0
 

Author Comment

by:jammy-d0dger
ID: 33662739
actually scratch that, sorry I misread it.  the IP shown is the DNS server IP, as expected, but there is no IP returned under Name: mydomain.uk
Er, that's weird.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jammy-d0dger
ID: 33662761
ok, sorry, I'm confusing the issue here, I looked up without the www. prefix and it seems the client doesn't have the A record in place for that.  So, back to where I was before, it returns the external public IP of the server.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33662774
AH!!! That is the issue, you can't do that. SSL requires a unique IP / host on the same port . In this case you would need to change hte default port from 443 to 446 or something else.
See your last question.
-Hades666
0
 
LVL 30

Accepted Solution

by:
Brad Howe earned 500 total points
ID: 33662822

You can have one SSL cert / IP address & port combination. So
https://www.domain1.com
https://www.domain2.com:444
https://www.domain3.com:445

is valid.

https://www.domain1.com
https://www.domain2.com

is not valid.

* This would require 2 external IP Addresses as well as 2 internal IP Addresses OR a wildcard cert with SSL Host headers as described in your latest question :). However is :444 and :445 are not supposed to be in the domain name, then you need additional external IP addresses.

-Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33662911
AHHHHHHHHHHHHHH, gotcha.  Just checked on the other server where it's working fine and Yes, we have two external IPs being redirected to the same server, with 2 internal IPs assigned to the NIC Team.  Brilliant, that makes total sense.  I am now off to kill my systems manager because I asked him that question on Friday and he swore blind we only needed 2 internal IPs.
If you're reading this, (and you know who you are), from your on-site location, prepare for painful death when you return!
Hades666, thanks a bunch for the help/solution.  If you don't mind, I will just wait until we get the external IP assigned and test this is the solution before I close the Q.  But, I'm pretty sure it will be.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33662940
no worries, Keep it open and I'll help configure if you have issues. - Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33663076
Presumably if we switched to a wildcard cert, we would lose the domain verification element of the cert?   Or do you retrun to the issuing body, (GoDaddy/Starfield), each time you want to add a new domain and get the wildcard cert updated?
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33663135
wildcard is *.domain.com. Using the wildcard notation (an asterisk and period before your domain name) allows you to extend security to different subdomains based on your top-level domain name.
UCC/SAN is domain.com domain2.com site1.com etc... using Subject Alt Names meaning you can add multiple domains to a cert. If you need to update it, you contact your vendor, ask for an update and then re-apply the cert.
If the domain names are separate, you could use a UCC certificate from from GoDaddy and then assign using SSL host headers.
Everything is about the host headers or bindings. :)
-Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33663174
Nice one, yes, I meant the UCC/SAN option in my question, but used the wrong terminology... clearly! :)  That makes sense, to have to re-issue the cert each time...  I was wondering how it worked and that seemed the only logical answer.
0
 

Author Comment

by:jammy-d0dger
ID: 33663576
Hopefully the last question:
We should be able to use 2 IP's correct?  
IP#1 for the 1st SSL site and all the other Port 80 sites.  
IP#2 for the 2nd SSL site.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33663650

Yes, that will work.  BUT you will see the following

IP 1 all using host headers
   http://domain1.com
   http://domain2.com
   http://domain3.com
   http(s)://domain4.com

IP 2 all using host headers
   http(s)://domain4.com

Now if a users goes to https://domain1.com, the site will load with a certificate error but the content of domain4.com. This is because HTTP is loaded first. See you latest SSL question.

Cheers,
Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33663669
yep, got that, perfectly explained. Nice one.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33663748
And this was a typo.
IP 2 all using host headers
   http(s)://domain4.com
SHOULD BE
IP 2 all using host headers
   http(s)://domain5.com
 

 
0
 

Author Comment

by:jammy-d0dger
ID: 33663769
HA, yeah, I 'read' it in my mind correctly and totally missed the typo.  I knew what you meant. :)
0
 

Author Comment

by:jammy-d0dger
ID: 33699882
All installed with extra public IP, works perfectly.  Thanks very much for all your help.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now