IIS 10 2 domains with SSLs on same IP - SNI checked for both but 1 of them still doesnt work

Question

Using fictional domains here instead of the actual ones I have this situation:

domain1.com has binding set up in IIS and is linked to SSL and has "Require Server Name Indication" checked.

domain2.com has binding in IIS and is linked to it's own SSL and has "Require Server Name Indication" checked.

Going to https://domain1.com in a browser works fine.

Going to https://domain2.com in a browser gives an error : NET::ERR_CERT_COMMON_NAME_INVALID "This server couldn't prove that it's domain2.com; its security certificate is from domain1.com."

I can't undertsnad it becasue SNI is definitely checked for both and they are the only 2 https bindings for that IP. I have tried restarted the site in IIS and recycling the AppPool but that makes no difference.

score 0 · Accepted Answer · answered Nov 10 '22 at 18:22

0

You need to use netsh or a tool like Jexus Manager to review what are the exact mappings stored in Windows HTTP API,

https://docs.jexusmanager.com/tutorials/https-binding.html#sni-based-bindings

IIS Manager does not show that detailed view.

answered Nov 10 '22 at 18:22

Lex Li

1,235
8
10

1

Thanks, I used "netsh http show sslcert" and saw that an SSL certificate was showing up twice, once against an ip address and once against the domain. Deleting the one based on the ip address using "netsh http delete sslcert ipport=1.2.3.4:443" fixed my problem. – Paul Nov 10 '22 at 21:56

IIS 10 2 domains with SSLs on same IP - SNI checked for both but 1 of them still doesnt work

1 Answers1