We are trying to address an (IIS) SSL cert mismatch issue. We own dozens of domains name for various lines of business. We have multiple websites load balanced on a netscaler onsite. For example, www.xyz.com that has 3 servers: p1, p2, and p3. On the very rare occasion that all 3 servers go down, or are intentionally taken out of service for upgrades/maintenance, we have the netscaler redirect traffic over to another another server that strictly functions as a "sorry" server for maintenance (ex. www.sorry.com). This sorry server typically just puts out a generic message that the site is down for maintenance. However, we have some business sites that want custom maintenance messages. In order to do this, we have to create a separate website on the sorry server for each site that wants a custom message. We run into issues when traffic from the main site (httpS ://www.xyz.com) is redirected over to http(S) ://www.sorry.com. The browser kicks up a cert mismatch which the business does not like for the end user. We are looking for ways to architect this so that the cert mismatch error never happens or is not seen.
One solution is to use a wild card cert on the sorry server that covers multiple domains. This is kind of expensive for how little it gets used.
Another solution seems to be to install the cert for www.xyz.com on the Sorry server, but in IIS that requires a separate dedicated IP for the website in order to install the original SSL cert. We have a lot of domains so this could really chew into our list of free IPs, and it becomes an administrative hassle if we have to setup, config, and maintain all this duplication.
Lastly, we've thought about not using httpS on the sorry server and doing a redirect from httpS to http. However, this does not seem like a viable long term solution as the industry standards for browsers seems to going to everything must use httpS or the browser will start throwing unsecure traffic warnings to the end user.
Looking for thoughts and suggestions... Thanks
