I cant seem to run multiple sites using the same IP with different ports and different ssl cert.
site a is fine but site b is returning SSL_ERROR_BAD_CERT_DOMAIN because it's returning site a's ssl cert.
This is the error I get when trying to use it on the same ports hence I use different ports for the domains
Here are my thoughts:
First of all SSL certificates are most commonly issued against domain names instead of IP addresses.
In your scenario you have one IP address so only one certificate can be issued against one IP address.
Options:
Get multiple SSL certificates for your website domains assuming your websites will be hosted on different domains e.g. example1.com, example2.com
Get wild card ssl certificate and then use it for your multiple websites assuming your websites will be hosted on sub-domains e.g. site1.example.com, site2.example.com
So the solution provided by Moshin Mehmood did resolve the issue.
Any site on IIS will have to use SNI and there is no reason to supply a specific IP if all the sites use the same one, IIS will give an error about not having any default ssl bindings but that is a legacy thing and not cause for concern.
Thank you very much Mohsin.
Related
Currently, two different websites are hosted on different ports in the same server IIS8. Now we would like to move those websites on HTTPS 443 in the same server IIS and two different domains are available www.example1.com, and www.example2.com thus which type of SSL certificate need? Does the different certificate work for each?
IIS 8 and above supports SNI, so multiple sites can bind to the same IP:443,
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
If you find your attempts fail, you can go deep to Windows HTTP API layer to see if you get SNI certificate mappings configured properly,
https://docs.jexusmanager.com/tutorials/https-binding.html#background
or generate a diagnostics report,
https://docs.jexusmanager.com/tutorials/ssl-diagnostics.html
There isn't special requirements on certificates as long as they are valid for server authentication.
You can use the 443 port with both different websites in iis with different domain names and server Name identification setting
you can buy any trusted root CA server certificate for your domain and you have to buy two different certificates.
I have two sites which are ****.twsstaging.com and ****.testrdcstg.com. I have wildchar certificates for both the sites.
I am using IIS 8.5 in Windows server 2012R2. I have a SINGLE site configured in IIS which resolve to both these domains.
Now I need to add SSL to these sites. I have tried with adding multiple bindings on 443 which leades to use only one certificate.
Since IIS is 8.5 i am not able to give *.twsstaging.com or *.testrdcstg.com as header values in bindings. I have tried this in IIS 10.0 and succeeded as wildchar hostname entries are allowed.
This is the error while trying to add wildchar hostname in binding
I tried (Server Name Indication)SNI as well which also failed due to above error as i cannot give wildchar host names.
Now I am trying to use a Central Certificate Store(CCS) with wildchar. Below are my setup screenshots
One Certificate details
Central Certificate store
IIS Binding
I added an entry in \System32\drivers\etc\hosts file as well
But if I am browsing HTTPS:// first site is showing 404 page and other is showing privacy error message
It looks like still both domains are loading with one certificate.
Earlier,When I added these bindings normally HTTPS was working fine first sites and same privacy error for second one.
So here the ask is Can I achieve this in IIS 8.5?
I have tried normal bindings,SNI and CCS approaches on same 443 port.
Is there any way to achieve it either though CCS or through different port?
ran into this a few years ago and again today after an outage where we had to change the IP bindings.
use a random host name like 123.com
save the binding
edit C:\Windows\System32\inetsrv\config\applicationHost.config
replace 123.com with * and save
restart iis site
I have hosted my software product (Say SoftPro) on one the servers (say Server1). This SoftPro is a web application with Https with Self signed certificate. The server is in Demiliterized zone (DMZ). So, from client machines, I cannot use server name to access my software product. Instead, I need to use servers IP address (Like- https://10.20.30.40/SoftPro).
But when I do this, I get a certificate error saying - "The security certificate presented by this website was issued for a different website's address". Even if I install the certificate and re-open the browser, the issue still exists. This issue is there when I use https://localhost/SoftPro on the server itself.
I tried adding this to Trusted site. I also tried redirecting IP address to hostname by adding IP address and its DNS name to Hosts file in C:\Windows\System32\drivers\etc. If I open the browser with https://10.20.30.40/SoftPro, it doesnt redirect and it still gives me same error.
Any workaround for resolve this issue?
Thanks in advance.
When I say,
1000 domains are hosted on the same server.
Does it means that 1000 domains are hosted on the same IP address?
Yes. You configure the server software to correlate the host name to the right service files. This applies to FTP/WWW, etc.
A server can host either virtually by use of the same IP address with different host headers (example.com, sample.com, sub.sample.com), through the use of multiple IPs bound to the server, or a combination of both.
So to answer your question, no, having 1000 domains hosted on the same IP address doesn't mean that they have the same IP address. However, it is possible given the configuration of the sites.
Normally, yes.
There is nothing stopping you from installing another NIC and having another IP address on the machine, but typically, 1000 domains hosted on the same server will be accessible using the same IP address.
Web servers use the host header to determine which site to load when many sites are configured to use the same IP address.
It's possible, with name based virtual hosting, a feature introduced in HTTP 1.1. It causes some problems with really old (corporate) proxies that pretend to only speak HTTP 1.0 and there are SSL related issues, so in general it's not the optimum solution.
We have two different ldap providers in two different physical office locations.
When I connect my laptop to one location and I 'retrieve from port' (in Websphere 6.1) to import the SSL cert of the ldap provider, I can authenticate to the respective ldap with no problems. If I take my laptop to the other office (that uses the other ldap provider by default) and I plugin my laptop, my WAS on my laptop will not start because it says 'no trusted SSL cert found'.
If I 'retrieve from port' again and re import the cert then it works again.
Note that my WAS always try to connect to one ldap, it simply has no use for the other one.
If I go back to the other office I get the same error until I reimport from that location. The ldap connection point is ldap.example.com:636 and is pingable in both locations with the same FQDN.
But when pinged it resolves to a different IP address in each office location. Why do I see that behavior?
Are SSL Certs somehow bound to a specific IP address?
If yes, then I need to maintain a different set of certs for each office location, right?
Note that, there is no way to adjust the DNS servers to resolve the hostname to the same IP address, I checked.
Can someone provide some insight?
SSL certificates are bound to a 'common name', which is usually a fully qualified domain name but can be a wildcard name (eg. *.example.com) or even an IP address, but it usually isn't.
In your case, you are accessing your LDAP server by a hostname and it sounds like your two LDAP servers have different SSL certificates installed. Are you able to view (or download and view) the details of the SSL certificate? Each SSL certificate will have a unique serial numbers and fingerprint which will need to match. I assume the certificate is being rejected as these details don't match with what's in your certificate store.
Your solution will be to ensure that both LDAP servers have the same SSL certificate installed.
BTW - you can normally override DNS entries on your workstation by editing a local 'hosts' file, but I wouldn't recommend this.
The SSL certificates are going to be bound to hostname rather than IP if they are setup in the standard way. Hence why it works at one site rather than the other.
Even if the servers share the same hostname they may well have two different certificates and hence WebSphere will have a certificate trust issue as it won't be able to recognise the certificate on the second server as it is different to the first.
Most SSL certificates are bound to the hostname of the machine and not the IP address.