Installing 2 SSL Certificates on IIS6, 2 sites, both show the same Cert

Hi Experts,

Scenario: Win2k3 server with IIS6 has about 50 sites running on it.  1 site has had an SSL cert running for a while, no problems.  Just added a new cert for a different IIS website and even though they are both assigned to different IP addresses, the 2nd site seems to be attached to the 1st site's SSL cert ???  

Any clues as to what we're doing wrong, much appreciated.
jammy-d0dgerAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Brad HoweConnect With a Mentor DevOps ManagerCommented:

You can have one SSL cert / IP address & port combination. So
https://www.domain1.com 
https://www.domain2.com:444
https://www.domain3.com:445

is valid.

https://www.domain1.com
https://www.domain2.com

is not valid.

* This would require 2 external IP Addresses as well as 2 internal IP Addresses OR a wildcard cert with SSL Host headers as described in your latest question :). However is :444 and :445 are not supposed to be in the domain name, then you need additional external IP addresses.

-Hades666
0
 
Brad HoweDevOps ManagerCommented:
Hi,

Did you set both sites up to use host headers and statically assign the the IP Addresses? It sounds like you are using unassigned and no host headers.

1. Open IIS Manager.
2. Right click on the 1st website.
3. Select Properties, then WebSite Tab.
4. Under Web Site Identification, set IP as 1st IP. Don't leave unassigned.
5. Under Web Site Identification, click Advanced
6. Under multiple Identies, click ADD.
7. Set IP as 1st IP, TCP port as 80, and host header as your.domain.com
7. Set IP as 1st IP, TCP port as 443, and host header as your.domain.com

Repeat steps for Website2 using the 2nd IP.

Let us know if this works out.
-Hades666
0
 
jammy-d0dgerAuthor Commented:
thanks for suggestion.  I have done exactly as you suggest.  However, as soon as I set the 1st site to one of the other IP addresses, IIS stops serving the site and gives the 'Bad Request or Invalid Hostname' error!  If I switch back to 'All Unassigned' the site starts working again.  For the sake of clarity I have uninstalled the 2nd site's Cert for now until we can get one site running on an assigned IP.  What do you reckon?
One other thing is that I have just noticed that if we browse to any host header of any of the other websites on the server, using https:// it redirects to the site with the cert installed!  Even though the website in question just has two host headers assigned correctly.
We're doing this perfectly well on another server, 2 sites, 2 SSL certs, both on assigned IPs, however the only difference is that they are the only 2 sites on that box.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Brad HoweDevOps ManagerCommented:
Hi,
Could you do the following for me.
Open CMD and type the following "IISWeb /query /s YOURSERVERNAME >> C:\Location-to-save\IIS_config.txt
This will enumerate all your sites. Then modify teh IIS_config to mask your domain using find/replace and upload it here.
Thank you,
Hades666
0
 
jammy-d0dgerAuthor Commented:
I've exported for the offending site...
iis-config.txt
0
 
Brad HoweDevOps ManagerCommented:
It is not the site i need. I want to see your bindings. - Hades666
0
 
jammy-d0dgerAuthor Commented:
ok, if I run your command line suggestion, I get "This Script does not work with WScript", which is followed by "Would you like to register CScript as your default host for VBScript?"
Is this advisable to do?  And will cause any conflicts that you know of?  This is a live webserver (gulp).
0
 
Brad HoweDevOps ManagerCommented:
Hi,
cscript and wscript is just a script shell. This is no issue here.
To Change the Default Script Host
On initial installation of Windows Script Host, the default script host is WScript. To change it to CScript, type the following at a command line.
cscript //h:cscript

To change the default host from CScript to WScript, type the following at a command line.
cscript //h:wscript  
Cheers, Hades666
0
 
jammy-d0dgerAuthor Commented:
OK, appreciate that you're trying to help, I have run that script but it has over 50 sites listed and I would rather not upload that list for obvious reasons, and a search/replace will take forever, but I can tell you that every site listed has:
IP: ALL
Port: 80
Except for Administration which is on 8099.
 
0
 
jammy-d0dgerAuthor Commented:
BTW: I search for 443 as a string and it doesn't appear in the file.  Is that normal?
0
 
jammy-d0dgerAuthor Commented:
If I set the site in question to an assigned IP, it does show up as such in the list, (192.168.3.99), default IP is 192.168.3.100
however, as mentioned above, the site then stops working with 'Bad Request or Invalid Hostname' until switched back to 'ALL'
0
 
Brad HoweDevOps ManagerCommented:
what is you DNS set to?
Open CMD and type "nslookup your.domain.com"
Does it return 192.168.3.99?
Hades666
0
 
jammy-d0dgerAuthor Commented:
no, it returns the external facing public IP.  We have one external IP being forwarded by our firewalls to the 2 internal IPs on the 3.xx range.
I did think this might be a problem, but the otehr server I mentioned earlier works fine with this configuration.
Out of interest, would it be worth putting a HOSTS entry in for the domain, with 192.168.3.99 ?
One other thought, if I'm setting one site to an assigned IP in IIS, does this mean I shoudl be setting all the other sites to the other, default IP, or is it ok to leave them all as 'All Unassigned' ?
0
 
jammy-d0dgerAuthor Commented:
actually scratch that, sorry I misread it.  the IP shown is the DNS server IP, as expected, but there is no IP returned under Name: mydomain.uk
Er, that's weird.
0
 
jammy-d0dgerAuthor Commented:
ok, sorry, I'm confusing the issue here, I looked up without the www. prefix and it seems the client doesn't have the A record in place for that.  So, back to where I was before, it returns the external public IP of the server.
0
 
Brad HoweDevOps ManagerCommented:
AH!!! That is the issue, you can't do that. SSL requires a unique IP / host on the same port . In this case you would need to change hte default port from 443 to 446 or something else.
See your last question.
-Hades666
0
 
jammy-d0dgerAuthor Commented:
AHHHHHHHHHHHHHH, gotcha.  Just checked on the other server where it's working fine and Yes, we have two external IPs being redirected to the same server, with 2 internal IPs assigned to the NIC Team.  Brilliant, that makes total sense.  I am now off to kill my systems manager because I asked him that question on Friday and he swore blind we only needed 2 internal IPs.
If you're reading this, (and you know who you are), from your on-site location, prepare for painful death when you return!
Hades666, thanks a bunch for the help/solution.  If you don't mind, I will just wait until we get the external IP assigned and test this is the solution before I close the Q.  But, I'm pretty sure it will be.
0
 
Brad HoweDevOps ManagerCommented:
no worries, Keep it open and I'll help configure if you have issues. - Hades666
0
 
jammy-d0dgerAuthor Commented:
Presumably if we switched to a wildcard cert, we would lose the domain verification element of the cert?   Or do you retrun to the issuing body, (GoDaddy/Starfield), each time you want to add a new domain and get the wildcard cert updated?
0
 
Brad HoweDevOps ManagerCommented:
wildcard is *.domain.com. Using the wildcard notation (an asterisk and period before your domain name) allows you to extend security to different subdomains based on your top-level domain name.
UCC/SAN is domain.com domain2.com site1.com etc... using Subject Alt Names meaning you can add multiple domains to a cert. If you need to update it, you contact your vendor, ask for an update and then re-apply the cert.
If the domain names are separate, you could use a UCC certificate from from GoDaddy and then assign using SSL host headers.
Everything is about the host headers or bindings. :)
-Hades666
0
 
jammy-d0dgerAuthor Commented:
Nice one, yes, I meant the UCC/SAN option in my question, but used the wrong terminology... clearly! :)  That makes sense, to have to re-issue the cert each time...  I was wondering how it worked and that seemed the only logical answer.
0
 
jammy-d0dgerAuthor Commented:
Hopefully the last question:
We should be able to use 2 IP's correct?  
IP#1 for the 1st SSL site and all the other Port 80 sites.  
IP#2 for the 2nd SSL site.
0
 
Brad HoweDevOps ManagerCommented:

Yes, that will work.  BUT you will see the following

IP 1 all using host headers
   http://domain1.com
   http://domain2.com
   http://domain3.com
   http(s)://domain4.com

IP 2 all using host headers
   http(s)://domain4.com

Now if a users goes to https://domain1.com, the site will load with a certificate error but the content of domain4.com. This is because HTTP is loaded first. See you latest SSL question.

Cheers,
Hades666
0
 
jammy-d0dgerAuthor Commented:
yep, got that, perfectly explained. Nice one.
0
 
Brad HoweDevOps ManagerCommented:
And this was a typo.
IP 2 all using host headers
   http(s)://domain4.com
SHOULD BE
IP 2 all using host headers
   http(s)://domain5.com
 

 
0
 
jammy-d0dgerAuthor Commented:
HA, yeah, I 'read' it in my mind correctly and totally missed the typo.  I knew what you meant. :)
0
 
jammy-d0dgerAuthor Commented:
All installed with extra public IP, works perfectly.  Thanks very much for all your help.
0
All Courses

From novice to tech pro — start learning today.