Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Installing 2 SSL Certificates on IIS6, 2 sites, both show the same Cert

Posted on 2010-09-13
27
Medium Priority
?
1,185 Views
Last Modified: 2012-05-10
Hi Experts,

Scenario: Win2k3 server with IIS6 has about 50 sites running on it.  1 site has had an SSL cert running for a while, no problems.  Just added a new cert for a different IIS website and even though they are both assigned to different IP addresses, the 2nd site seems to be attached to the 1st site's SSL cert ???  

Any clues as to what we're doing wrong, much appreciated.
0
Comment
Question by:jammy-d0dger
  • 16
  • 11
27 Comments
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33661517
Hi,

Did you set both sites up to use host headers and statically assign the the IP Addresses? It sounds like you are using unassigned and no host headers.

1. Open IIS Manager.
2. Right click on the 1st website.
3. Select Properties, then WebSite Tab.
4. Under Web Site Identification, set IP as 1st IP. Don't leave unassigned.
5. Under Web Site Identification, click Advanced
6. Under multiple Identies, click ADD.
7. Set IP as 1st IP, TCP port as 80, and host header as your.domain.com
7. Set IP as 1st IP, TCP port as 443, and host header as your.domain.com

Repeat steps for Website2 using the 2nd IP.

Let us know if this works out.
-Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33661598
thanks for suggestion.  I have done exactly as you suggest.  However, as soon as I set the 1st site to one of the other IP addresses, IIS stops serving the site and gives the 'Bad Request or Invalid Hostname' error!  If I switch back to 'All Unassigned' the site starts working again.  For the sake of clarity I have uninstalled the 2nd site's Cert for now until we can get one site running on an assigned IP.  What do you reckon?
One other thing is that I have just noticed that if we browse to any host header of any of the other websites on the server, using https:// it redirects to the site with the cert installed!  Even though the website in question just has two host headers assigned correctly.
We're doing this perfectly well on another server, 2 sites, 2 SSL certs, both on assigned IPs, however the only difference is that they are the only 2 sites on that box.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33661730
Hi,
Could you do the following for me.
Open CMD and type the following "IISWeb /query /s YOURSERVERNAME >> C:\Location-to-save\IIS_config.txt
This will enumerate all your sites. Then modify teh IIS_config to mask your domain using find/replace and upload it here.
Thank you,
Hades666
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:jammy-d0dger
ID: 33662127
I've exported for the offending site...
iis-config.txt
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33662159
It is not the site i need. I want to see your bindings. - Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33662299
ok, if I run your command line suggestion, I get "This Script does not work with WScript", which is followed by "Would you like to register CScript as your default host for VBScript?"
Is this advisable to do?  And will cause any conflicts that you know of?  This is a live webserver (gulp).
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33662377
Hi,
cscript and wscript is just a script shell. This is no issue here.
To Change the Default Script Host
On initial installation of Windows Script Host, the default script host is WScript. To change it to CScript, type the following at a command line.
cscript //h:cscript

To change the default host from CScript to WScript, type the following at a command line.
cscript //h:wscript  
Cheers, Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33662501
OK, appreciate that you're trying to help, I have run that script but it has over 50 sites listed and I would rather not upload that list for obvious reasons, and a search/replace will take forever, but I can tell you that every site listed has:
IP: ALL
Port: 80
Except for Administration which is on 8099.
 
0
 

Author Comment

by:jammy-d0dger
ID: 33662516
BTW: I search for 443 as a string and it doesn't appear in the file.  Is that normal?
0
 

Author Comment

by:jammy-d0dger
ID: 33662536
If I set the site in question to an assigned IP, it does show up as such in the list, (192.168.3.99), default IP is 192.168.3.100
however, as mentioned above, the site then stops working with 'Bad Request or Invalid Hostname' until switched back to 'ALL'
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33662603
what is you DNS set to?
Open CMD and type "nslookup your.domain.com"
Does it return 192.168.3.99?
Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33662690
no, it returns the external facing public IP.  We have one external IP being forwarded by our firewalls to the 2 internal IPs on the 3.xx range.
I did think this might be a problem, but the otehr server I mentioned earlier works fine with this configuration.
Out of interest, would it be worth putting a HOSTS entry in for the domain, with 192.168.3.99 ?
One other thought, if I'm setting one site to an assigned IP in IIS, does this mean I shoudl be setting all the other sites to the other, default IP, or is it ok to leave them all as 'All Unassigned' ?
0
 

Author Comment

by:jammy-d0dger
ID: 33662739
actually scratch that, sorry I misread it.  the IP shown is the DNS server IP, as expected, but there is no IP returned under Name: mydomain.uk
Er, that's weird.
0
 

Author Comment

by:jammy-d0dger
ID: 33662761
ok, sorry, I'm confusing the issue here, I looked up without the www. prefix and it seems the client doesn't have the A record in place for that.  So, back to where I was before, it returns the external public IP of the server.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33662774
AH!!! That is the issue, you can't do that. SSL requires a unique IP / host on the same port . In this case you would need to change hte default port from 443 to 446 or something else.
See your last question.
-Hades666
0
 
LVL 30

Accepted Solution

by:
Brad Howe earned 2000 total points
ID: 33662822

You can have one SSL cert / IP address & port combination. So
https://www.domain1.com 
https://www.domain2.com:444
https://www.domain3.com:445

is valid.

https://www.domain1.com
https://www.domain2.com

is not valid.

* This would require 2 external IP Addresses as well as 2 internal IP Addresses OR a wildcard cert with SSL Host headers as described in your latest question :). However is :444 and :445 are not supposed to be in the domain name, then you need additional external IP addresses.

-Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33662911
AHHHHHHHHHHHHHH, gotcha.  Just checked on the other server where it's working fine and Yes, we have two external IPs being redirected to the same server, with 2 internal IPs assigned to the NIC Team.  Brilliant, that makes total sense.  I am now off to kill my systems manager because I asked him that question on Friday and he swore blind we only needed 2 internal IPs.
If you're reading this, (and you know who you are), from your on-site location, prepare for painful death when you return!
Hades666, thanks a bunch for the help/solution.  If you don't mind, I will just wait until we get the external IP assigned and test this is the solution before I close the Q.  But, I'm pretty sure it will be.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33662940
no worries, Keep it open and I'll help configure if you have issues. - Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33663076
Presumably if we switched to a wildcard cert, we would lose the domain verification element of the cert?   Or do you retrun to the issuing body, (GoDaddy/Starfield), each time you want to add a new domain and get the wildcard cert updated?
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33663135
wildcard is *.domain.com. Using the wildcard notation (an asterisk and period before your domain name) allows you to extend security to different subdomains based on your top-level domain name.
UCC/SAN is domain.com domain2.com site1.com etc... using Subject Alt Names meaning you can add multiple domains to a cert. If you need to update it, you contact your vendor, ask for an update and then re-apply the cert.
If the domain names are separate, you could use a UCC certificate from from GoDaddy and then assign using SSL host headers.
Everything is about the host headers or bindings. :)
-Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33663174
Nice one, yes, I meant the UCC/SAN option in my question, but used the wrong terminology... clearly! :)  That makes sense, to have to re-issue the cert each time...  I was wondering how it worked and that seemed the only logical answer.
0
 

Author Comment

by:jammy-d0dger
ID: 33663576
Hopefully the last question:
We should be able to use 2 IP's correct?  
IP#1 for the 1st SSL site and all the other Port 80 sites.  
IP#2 for the 2nd SSL site.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33663650

Yes, that will work.  BUT you will see the following

IP 1 all using host headers
   http://domain1.com
   http://domain2.com
   http://domain3.com
   http(s)://domain4.com

IP 2 all using host headers
   http(s)://domain4.com

Now if a users goes to https://domain1.com, the site will load with a certificate error but the content of domain4.com. This is because HTTP is loaded first. See you latest SSL question.

Cheers,
Hades666
0
 

Author Comment

by:jammy-d0dger
ID: 33663669
yep, got that, perfectly explained. Nice one.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33663748
And this was a typo.
IP 2 all using host headers
   http(s)://domain4.com
SHOULD BE
IP 2 all using host headers
   http(s)://domain5.com
 

 
0
 

Author Comment

by:jammy-d0dger
ID: 33663769
HA, yeah, I 'read' it in my mind correctly and totally missed the typo.  I knew what you meant. :)
0
 

Author Comment

by:jammy-d0dger
ID: 33699882
All installed with extra public IP, works perfectly.  Thanks very much for all your help.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question