• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 652
  • Last Modified:

IIS7 moved SSL certificate to new server, sites pulling wrong SSL certificate

We moved an existing SSL cert from 2008 to 2012 IIS7 server. There was an existing cert already there for 5 other domains. The cert we moved, handles 5 other domains too. The sites for the second cert in question, have been moved and bond to the cert in question too, but when pulling up the site we get errors.

NET::ERR_CERT_COMMON_NAME_INVALID   and further down in the text, clearing points to wrong cert.

I ran the command below and noted the 0.0.0.0:443 is pointing to the correct cert and 10.33.0.210:443 is the other than the sites continues to pull up. Is this correct or should they both point to 10.33.0.210:443 which is the IIS server.

C:\Users\Administrator>netsh http show sslcert

SSL Certificate bindings:
-------------------------

    IP:port                      : 0.0.0.0:443
    Certificate Hash             : 8dde8eb0fca47526a348b3408a9601667fc4ebf7
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    IP:port                      : 10.33.0.210:443
    Certificate Hash             : aa251faacbb73909b54fedd12f29760264b8ac1e
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
0
Harold
Asked:
Harold
  • 7
  • 5
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
The binding should be on all IPs if the server only has one NIC and you want that cert to be used for all sites on the server. The only time you would want to have different SSL certs on different IP addresses would be if the server has multiple NICs hosting web traffic for different host names.
0
 
HaroldNetwork EngineerAuthor Commented:
@Adam the binding is All unassigned IPs, if that's what you're saying. The new and old IIS server have one NIC and one private IP. The certs had to have 2 different public IPs for this to work externally(public) and was working fine until moving the certs to the 2012 machine. I'm just not seeing where I screwed up the configuration, obviously I'm doing something wrong. If you go to steelsmartsystem.com you'll see the error.

Both certs are in there but the domain that SHOULD be going to the cert we just moved, all seem to be defaulting to the original cert.
0
 
Dan McFaddenSystems EngineerCommented:
First off, I recommend NOT running websites on the "All Unassigned" binding.  If you have multiple sites on a single IP, you should be selecting the IP directly and using Host Names on the binding.

- Can you post the shot of the Site list in IIS.  Open IIS Manager, select Sites.
- Are the SSL Certs on the server (2 now) wildcard certs?
- So how many sites are now running on this IIS server?  10?

The error referenced above indicates that there is a FQDN mismatch between the URL entered and the URL set on the Cert.

Dan
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
HaroldNetwork EngineerAuthor Commented:
@Dan: if we try changing the IP to the internal IP, we get a message...."At least one other site is using the same HTTPS binding and the binding is configured with a different cert. Are you sure you want to reuse this HTTPS binding and reassign the other site or sites to use the new cert?"

There are about 50 sites, the certs are applied to 5 each. They have the main FQDN and 4 sub-names.

Correct the error is pointing that the name and the cert is a mismatch, but the the site is clearly bound to the other cert. I don't see what is redirecting the site to the other cert.

This is the list of domains the applied cert should be handling. Attached is the binding.
DNS Name=www.appliedscienceint.com
DNS Name=appliedscienceint.com
DNS Name=portal.appliedscienceint.com
DNS Name=www.steelsmartsystem.com
DNS Name=www.extremeloading.com
ASI-binding.jpg
0
 
Dan McFaddenSystems EngineerCommented:
A better practice would be to assign a site a dedicated IP if it requires an SSL Cert.

And the binding that you screen-shot'ed will throw an error because the site is using an SSL Cert for a domain that is not in the cert.

Here is what I see:
1. https://www.appliedscienceint.com is using an SSL Cert for www.steelnetwork.com
*** you cannot do this without throwing errors... the domain name is mismatched
2. https://appliedscienceint.com is using an SSL Cert for www.steelnetwork.com
*** you cannot do this without throwing errors... the domain name is mismatched
3. https://portal.appliedscienceint.com is using an SSL Cert for www.steelnetwork.com
*** you cannot do this without throwing errors... the domain name is mismatched
4. https://www.steelsmartsystem.com is using an SSL Cert for www.steelnetwork.com
*** you cannot do this without throwing errors... the domain name is mismatched
5. https://www.extremeloading.com is using an SSL Cert for www.steelnetwork.com
*** you cannot do this without throwing errors... the domain name is mismatched

Essentially you need to buy a new SSL Cert to do what you want.  You need an SSL Cert that supports "Subject Alternative Names."  Which allows you to have multiple different domain names secured by a single certificate.

Reference Link:  https://www.godaddy.com/help/what-is-a-multiple-domain-ucc-ssl-certificate-3908
 
Dan
0
 
HaroldNetwork EngineerAuthor Commented:
@Dan: these certs are "Subject Alternative Names" certs and were working on the old server.
In what you posted  1 - 5, this is what I'm trying to fix, as they are not binding to that cert they are binding to the ASI cert *.appliedsceinceint.com cert.

Both were purchased to handle a total of 5 FQDN's and were working until we moved them to the new server.

Do we need two separate internal IPs, as well as public?
0
 
Dan McFaddenSystems EngineerCommented:
Are you sure you moved the correct Cert?  Now I can see the SANs.

Have you tried to export the old cert and then deleted it?

First I would try to remove the old cert and see if the SSL config is picked up.

Dan
0
 
HaroldNetwork EngineerAuthor Commented:
@Dan: ya, it's the correct one. When I view detail and Alternate names, it show all the domains we are trying to secure.

You setup "Require Server Name Indication"? Trying this but states "No default SSL site has been created. To support browsers without SNI capabilities, it is recommended to create a default SSL site"
0
 
Dan McFaddenSystems EngineerCommented:
Here's a how-to article from MSDN about configuring multiple sites with a SAN SSL Cert.

Link:  https://blogs.msdn.microsoft.com/varunm/2013/06/18/bind-multiple-sites-on-same-ip-address-and-port-in-ssl/

Dan
0
 
HaroldNetwork EngineerAuthor Commented:
@Dan: I removed the steelnetwork.com cert and steelsmartsystem.com still points to steelnetwork.com cert.
0
 
HaroldNetwork EngineerAuthor Commented:
@Dan: the SNI setting had to be ticked on every site with a cert applied to it. I also set it to a assigned IP. I didn't setup the others, so I didn't know which ones had been set to be secured.

Thanks
0
 
HaroldNetwork EngineerAuthor Commented:
Thanks!
0
 
Dan McFaddenSystems EngineerCommented:
Glad you got it resolved.

Dan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now