1

Using IIS 10, I have 3 websites with 3 different hostnames, but the same IP address and port, and each of them has their own SSL certificate.

In the bindings I can see that each has the correct certificate attached (When I click View I see it's the right details for each).

However when I go to the URL in the browser, it says the certificate is not trusted (Except for the 1 site whose this certificate belongs to him), and when I click to see the certificate information, I see they all use the same certificate even though each is bound to his own certificate in IIS.

I did tick the box saying "Require Server Name Indication", but still it uses only one certificate.

In my case where all websites use the same IP and port, is it possible to also use a different certificate?

In this case where I use the same IP and port for all websites - do I have to use a single certificate? Or I can somehow make it work now with separate certificates?

pileup
  • 229
  • 2
  • 9
  • 2
    The question is which browser you were using. If the browser does not follow SNI to send host name in SSL handshake, then the certificate from IP based binding will be used instead of from SNI based bindings, https://docs.jexusmanager.com/tutorials/https-binding.html#ip-based-bindings You might stop serving such non-SNI browsers, as they are usually legacy ones with lots of other issues. – Lex Li May 24 '23 at 19:54
  • It's from Google Chrome/Edge, could there be an issue with the certificate? Because I also did a mistake in the post. It's not different domains, it's same domain with different sub domains: `web1.example.com`, `web2.example.com`, `web3.example.com`. in this case do I need to use the same certificate? – pileup May 25 '23 at 07:27
  • 2
    Subdomains require their own SNI mappings to register in Windows HTTP API. If you don’t have those yet, the problem is then expected. Chrome/Edge started to support SNI years ago, so it is not likely to be a browser side issue. – Lex Li May 25 '23 at 14:22
  • Thank you, and is it something I can fix when I have 3 separate certificates? Or I am going to have to combine them into 1 with all the subdomains? – pileup May 25 '23 at 15:04
  • https://docs.jexusmanager.com/tutorials/ssl-diagnostics.html#the-built-in-ssl-diagnostics-in-jexus-manager You might run a few reports to see what can be found. – Lex Li May 25 '23 at 15:42
  • Did you ever find a solution to this problem? We're running into it right now, and I'd love an update. https://xkcd.com/979/ – AndyD273 Aug 26 '23 at 06:22
  • 1
    @AndyD273 the solution was to use a single certificate that holds all the needed hostnames – pileup Aug 26 '23 at 08:13

1 Answers1

0

This isn't really the solution to OPs problem, it's the solution to my problem, which happens to sound exactly like the problem that OP was having. I'm including it here in case some time down the road someone else has the same problem, and they might be able to use this information to solve it.

We have an IIS server set up with 5 web sites. 3 of them have the same wildcard certificate (www.website1.com, sales.website1.com, dev.website1.com), and the other two have their own single site certificates.

But what was happening was that all 5 sites were getting assigned with the wildcard certificate for website1.com

What we had to do to solve the problem was to set the HTTPS binding on all 5 sites to IP address: All Unassigned, Port 443 And then make sure that Require Server Name Indication was checked and the correct certificate was selected for each site.

AndyD273
  • 207
  • 1
  • 11