Solved

IIS7 moved SSL certificate to new server, sites pulling wrong SSL certificate

Posted on 2016-09-09
13
41 Views
Last Modified: 2016-09-13
We moved an existing SSL cert from 2008 to 2012 IIS7 server. There was an existing cert already there for 5 other domains. The cert we moved, handles 5 other domains too. The sites for the second cert in question, have been moved and bond to the cert in question too, but when pulling up the site we get errors.

NET::ERR_CERT_COMMON_NAME_INVALID   and further down in the text, clearing points to wrong cert.

I ran the command below and noted the 0.0.0.0:443 is pointing to the correct cert and 10.33.0.210:443 is the other than the sites continues to pull up. Is this correct or should they both point to 10.33.0.210:443 which is the IIS server.

C:\Users\Administrator>netsh http show sslcert

SSL Certificate bindings:
-------------------------

    IP:port                      : 0.0.0.0:443
    Certificate Hash             : 8dde8eb0fca47526a348b3408a9601667fc4ebf7
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    IP:port                      : 10.33.0.210:443
    Certificate Hash             : aa251faacbb73909b54fedd12f29760264b8ac1e
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
0
Comment
Question by:Harold
  • 7
  • 5
13 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41792058
The binding should be on all IPs if the server only has one NIC and you want that cert to be used for all sites on the server. The only time you would want to have different SSL certs on different IP addresses would be if the server has multiple NICs hosting web traffic for different host names.
0
 
LVL 1

Author Comment

by:Harold
ID: 41792641
@Adam the binding is All unassigned IPs, if that's what you're saying. The new and old IIS server have one NIC and one private IP. The certs had to have 2 different public IPs for this to work externally(public) and was working fine until moving the certs to the 2012 machine. I'm just not seeing where I screwed up the configuration, obviously I'm doing something wrong. If you go to steelsmartsystem.com you'll see the error.

Both certs are in there but the domain that SHOULD be going to the cert we just moved, all seem to be defaulting to the original cert.
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41793858
First off, I recommend NOT running websites on the "All Unassigned" binding.  If you have multiple sites on a single IP, you should be selecting the IP directly and using Host Names on the binding.

- Can you post the shot of the Site list in IIS.  Open IIS Manager, select Sites.
- Are the SSL Certs on the server (2 now) wildcard certs?
- So how many sites are now running on this IIS server?  10?

The error referenced above indicates that there is a FQDN mismatch between the URL entered and the URL set on the Cert.

Dan
0
 
LVL 1

Author Comment

by:Harold
ID: 41794105
@Dan: if we try changing the IP to the internal IP, we get a message...."At least one other site is using the same HTTPS binding and the binding is configured with a different cert. Are you sure you want to reuse this HTTPS binding and reassign the other site or sites to use the new cert?"

There are about 50 sites, the certs are applied to 5 each. They have the main FQDN and 4 sub-names.

Correct the error is pointing that the name and the cert is a mismatch, but the the site is clearly bound to the other cert. I don't see what is redirecting the site to the other cert.

This is the list of domains the applied cert should be handling. Attached is the binding.
DNS Name=www.appliedscienceint.com
DNS Name=appliedscienceint.com
DNS Name=portal.appliedscienceint.com
DNS Name=www.steelsmartsystem.com
DNS Name=www.extremeloading.com
ASI-binding.jpg
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41794128
A better practice would be to assign a site a dedicated IP if it requires an SSL Cert.

And the binding that you screen-shot'ed will throw an error because the site is using an SSL Cert for a domain that is not in the cert.

Here is what I see:
1. https://www.appliedscienceint.com is using an SSL Cert for www.steelnetwork.com
*** you cannot do this without throwing errors... the domain name is mismatched
2. https://appliedscienceint.com is using an SSL Cert for www.steelnetwork.com
*** you cannot do this without throwing errors... the domain name is mismatched
3. https://portal.appliedscienceint.com is using an SSL Cert for www.steelnetwork.com
*** you cannot do this without throwing errors... the domain name is mismatched
4. https://www.steelsmartsystem.com is using an SSL Cert for www.steelnetwork.com
*** you cannot do this without throwing errors... the domain name is mismatched
5. https://www.extremeloading.com is using an SSL Cert for www.steelnetwork.com
*** you cannot do this without throwing errors... the domain name is mismatched

Essentially you need to buy a new SSL Cert to do what you want.  You need an SSL Cert that supports "Subject Alternative Names."  Which allows you to have multiple different domain names secured by a single certificate.

Reference Link:  https://www.godaddy.com/help/what-is-a-multiple-domain-ucc-ssl-certificate-3908
 
Dan
0
 
LVL 1

Author Comment

by:Harold
ID: 41794187
@Dan: these certs are "Subject Alternative Names" certs and were working on the old server.
In what you posted  1 - 5, this is what I'm trying to fix, as they are not binding to that cert they are binding to the ASI cert *.appliedsceinceint.com cert.

Both were purchased to handle a total of 5 FQDN's and were working until we moved them to the new server.

Do we need two separate internal IPs, as well as public?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41794238
Are you sure you moved the correct Cert?  Now I can see the SANs.

Have you tried to export the old cert and then deleted it?

First I would try to remove the old cert and see if the SSL config is picked up.

Dan
0
 
LVL 1

Author Comment

by:Harold
ID: 41794272
@Dan: ya, it's the correct one. When I view detail and Alternate names, it show all the domains we are trying to secure.

You setup "Require Server Name Indication"? Trying this but states "No default SSL site has been created. To support browsers without SNI capabilities, it is recommended to create a default SSL site"
0
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 41794283
Here's a how-to article from MSDN about configuring multiple sites with a SAN SSL Cert.

Link:  https://blogs.msdn.microsoft.com/varunm/2013/06/18/bind-multiple-sites-on-same-ip-address-and-port-in-ssl/

Dan
0
 
LVL 1

Author Comment

by:Harold
ID: 41794534
@Dan: I removed the steelnetwork.com cert and steelsmartsystem.com still points to steelnetwork.com cert.
0
 
LVL 1

Author Comment

by:Harold
ID: 41795022
@Dan: the SNI setting had to be ticked on every site with a cert applied to it. I also set it to a assigned IP. I didn't setup the others, so I didn't know which ones had been set to be secured.

Thanks
0
 
LVL 1

Author Closing Comment

by:Harold
ID: 41795023
Thanks!
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41795533
Glad you got it resolved.

Dan
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now