Kitz Forum

Internet => Web Hosting & Web Design => Topic started by: chenks on June 15, 2018, 12:07:57 PM

Title: IIS with multiple sites - SSL certificates
Post by: chenks on June 15, 2018, 12:07:57 PM
i know there are a couple of IIS experts here, so i have this question.

currently the IIS server has two domains pointing to it.
1 domain is a single site - www.blah.com
the other domain has the main site and a few sub-domain sites - www.meh.com, test.meh.com, test2.meh.com etc etc. these are all set up as individual standalone "sites" in IIS.

all works well.

we added a https certificate to www.blah.com, so now we have http://www.blah.com and https://www.blah.com, and IIS set to SSL required and the relevant 403 error page for that site set to redirect to the https version. again all works fine.

we then looked at adding an https certificte for www.meh.com, but come up with a problem that both sites have the same IP address set in the bindings and, apparently, you can't do this if both sites are bound to the same IP - is this correct?

if it is correct how would be get around this and be able to have both domains (along with the sub-domains) SSL certified?
Title: Re: IIS with multiple sites - SSL certificates
Post by: d2d4j on June 15, 2018, 12:25:38 PM
Hi chrysalis

It depends upon your mappingís

You can install cert as a server cert and tell site to use that cert

What iis version are you using

Many thanks

John
Title: Re: IIS with multiple sites - SSL certificates
Post by: chenks on June 15, 2018, 12:33:10 PM
i'm chenks, not chrysalis  ;D
it's IIS 6 running on Windows Server 2003 (yes i know.. nothing i can do about it).
Title: Re: IIS with multiple sites - SSL certificates
Post by: d2d4j on June 15, 2018, 12:56:11 PM
Hi chenks

Apologies to chrysalis and yourself old eyes sorry

Instead of binding to an ip, set binding to default (sorry cannot remember itís name), then there is no conflict

Many thanks

John
Title: Re: IIS with multiple sites - SSL certificates
Post by: chenks on June 15, 2018, 01:00:16 PM
you mean here ?

(https://image.ibb.co/fDFqEd/Capture.jpg)

(https://image.ibb.co/nyV7ud/Capture2.jpg)
Title: Re: IIS with multiple sites - SSL certificates
Post by: highpriest on July 10, 2018, 05:43:04 PM

we then looked at adding an https certificte for www.meh.com, but come up with a problem that both sites have the same IP address set in the bindings and, apparently, you can't do this if both sites are bound to the same IP - is this correct?

Pretty much. SNI support was only added in IIS 8.0.

https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability

So unless you bind both sites to separate IP addresses, this is not possible. Unless...

Quote
if it is correct how would be get around this and be able to have both domains (along with the sub-domains) SSL certified?

Two options. One is to use a wildcard certificate and bind that to both sites. But that won't work for you because your domains are different.

Second option is to use what's called a UCC certificate. It's basically a certificate that supports multiple domains, also called a SAN certificate. You should be able to get one from Let's Encrypt easily.

Edit: Let's Encrypt now supports wildcards as well (multiple, up to 100).

https://community.letsencrypt.org/t/multiple-wildcard/58205
Title: Re: IIS with multiple sites - SSL certificates
Post by: chenks on July 10, 2018, 06:20:02 PM
i could migrate the sites to Windows Server 2008 R2, but i believe that's only IIS 7.5 so SNI still wouldn't be an option.
we may look at doing this anyway just to get away from Server 2003.

so Let's Encrypt with wildcards would be the option.
would that still work with the 2 different domains?

i know let's encrypt support is a bit sketchy with IIS but is possible.
the "certify the web" tool for IIS and let's encrypt looks basic at the moment and doesn't support wildcards (unless it's had a recent update?)
Title: Re: IIS with multiple sites - SSL certificates
Post by: highpriest on July 11, 2018, 05:34:34 PM
i could migrate the sites to Windows Server 2008 R2, but i believe that's only IIS 7.5 so SNI still wouldn't be an option.
we may look at doing this anyway just to get away from Server 2003.

Server 2008 R2 goes out of support in Jan 2020 so if you must stay on Windows/IIS, I would look at moving to 2012 R2 or 2016 (preferable).

I wouldn't run anything on 2003 tbh. It has long gone out of support and could have various unpatched vulnerabilities. Plus, you can only support up to TLS 1.0, which is considered 'obsolete' as of June 30th, 2018.

Quote
so Let's Encrypt with wildcards would be the option.
would that still work with the 2 different domains?

Yep, it's supported.

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

Code: [Select]
A single certificate can have wildcard DNS names for multiple base domains, and can also mix in non-wildcard names.
Quote
i know let's encrypt support is a bit sketchy with IIS but is possible.
the "certify the web" tool for IIS and let's encrypt looks basic at the moment and doesn't support wildcards (unless it's had a recent update?)

I've only ever used certbot so I don't know, sorry.

It does look like Certify The Web (v4, which is in beta) supports ACME v2.

https://letsencrypt.org/docs/client-options/
https://github.com/webprofusion/certify/issues/270

There are plenty of other ACME v2 implementations for Windows so have a look around.

If you can't migrate quickly from Server 2003, I'd consider sticking a reverse proxy in front of it. Something like Nginx or HAProxy that will handle TLS offloading. If you can implement WAF as well, that would be a bonus.
Title: Re: IIS with multiple sites - SSL certificates
Post by: chenks on July 11, 2018, 07:30:31 PM
i looked at cerbot, but it's UNIX only it seems.
Title: Re: IIS with multiple sites - SSL certificates
Post by: chenks on July 14, 2018, 08:56:57 PM
right i've got a windows 2008 R2 test environment set up.
i've got 2 domains pointing to it and configured IIS for me.

what i now need to work it firstly is how to get both sites working for HTTPS without a certificate, then once both https can be accessed then look at adding a certificate to cover both sites.

is it still correct at this point to set the binding to "all assigned" rather than the listed IP address?
Title: Re: IIS with multiple sites - SSL certificates
Post by: chenks on July 24, 2018, 06:59:56 PM
bump, finally starting to concentrate on getting this working.
i have 2 domains pointing to this server and my attempt is to get both working with HTTPS and Let's Encrypt.

i am guessing i need to go down the SAN route with Lets Encrypt?
Title: Re: IIS with multiple sites - SSL certificates
Post by: highpriest on July 25, 2018, 09:57:25 PM
is it still correct at this point to set the binding to "all assigned" rather than the listed IP address?

How many IP addresses do you have on that machine? Are they internal (RFC1918) IPv4 addresses (behind a NAT) or public IPs?
Title: Re: IIS with multiple sites - SSL certificates
Post by: chenks on July 25, 2018, 10:00:09 PM
1 public IP, 1 local IP.
Title: Re: IIS with multiple sites - SSL certificates
Post by: highpriest on July 25, 2018, 10:43:35 PM
bump, finally starting to concentrate on getting this working.
i have 2 domains pointing to this server and my attempt is to get both working with HTTPS and Let's Encrypt.

i am guessing i need to go down the SAN route with Lets Encrypt?

It depends on how you want it all to work. If you only have 1 public IP at your disposal, your options are a bit limited. If you can put a small Linux reverse proxy in front of your IIS web server that handles SSL offloading, you can use SNI, which means you won't have to bother with a SAN certificate. You can use SAN certificates, and as long as they are not wildcards, you should be able to use http-01 challenges, which means you won't have to muck about with getting dns-01 automated during renewal time.

http://letsencrypt.readthedocs.io/en/latest/challenges.html

If that is not an option, and your Windows 2008 R2 box is the one handling the TLS connection, you have to use a multi-domain (SAN) certificate. As long as none of the DNS names are wildcards, you should be able to use http-01 challenge. I have no idea how well Certify The Web integrates with IIS and handles it all, but I'm guessing it should work as the mechanism is quite simple.

If you tell me more about your setup, I can try and help.
Title: Re: IIS with multiple sites - SSL certificates
Post by: highpriest on July 25, 2018, 10:45:46 PM
1 public IP, 1 local IP.

On the same server on separate NICs?
Title: Re: IIS with multiple sites - SSL certificates
Post by: chenks on July 25, 2018, 10:52:31 PM
I'll need to check in the morning when I'm back in, but I suspect 1 NIC.

I can give you more detailed info about the setup then.

I'm fully expecting to have to push for upgrade to iis8 though.
Title: Re: IIS with multiple sites - SSL certificates
Post by: chenks on July 26, 2018, 09:58:50 AM
ok so here is what this server has

Code: [Select]
C:\Users\grays>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : CTECH-GLA-VWEB5
   Primary Dns Suffix  . . . . . . . : ad.******.co.uk
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ad.******.co.uk

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-8A-1C-6A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.232.16.61(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.232.16.11
   DNS Servers . . . . . . . . . . . : 10.232.111.21
                                       10.232.111.51
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{BAC38D81-3251-402A-B9AC-D184E76E6AB1}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Windows Server 2008 R2
for testing, i currently have 2 "sites" set up in IIS (both just HTTP for now).
1 single public IP that hits the firewall which then routes the traffic from port 80 (and 443) to the server on the internal IP

(https://image.ibb.co/fGKbjT/Capture.jpg)
(https://image.ibb.co/cjCkdo/Capture2.jpg)

binging options that are available are

(https://image.ibb.co/ctEM4T/Capture.jpg)

with regards to the suggestion about nginx. i definitely wouldn't get approval for putting in a linux box anywhere on the network.
i might be able to get nginx installed on this server alongside IIS, but that would only be at a last resort.