Kitz Forum
Internet => Web Hosting & Web Design => Topic started by: chenks on June 15, 2018, 12:07:57 PM
-
i know there are a couple of IIS experts here, so i have this question.
currently the IIS server has two domains pointing to it.
1 domain is a single site - www.blah.com
the other domain has the main site and a few sub-domain sites - www.meh.com, test.meh.com, test2.meh.com etc etc. these are all set up as individual standalone "sites" in IIS.
all works well.
we added a https certificate to www.blah.com, so now we have http://www.blah.com and https://www.blah.com, and IIS set to SSL required and the relevant 403 error page for that site set to redirect to the https version. again all works fine.
we then looked at adding an https certificte for www.meh.com, but come up with a problem that both sites have the same IP address set in the bindings and, apparently, you can't do this if both sites are bound to the same IP - is this correct?
if it is correct how would be get around this and be able to have both domains (along with the sub-domains) SSL certified?
-
Hi chrysalis
It depends upon your mapping’s
You can install cert as a server cert and tell site to use that cert
What iis version are you using
Many thanks
John
-
i'm chenks, not chrysalis ;D
it's IIS 6 running on Windows Server 2003 (yes i know.. nothing i can do about it).
-
Hi chenks
Apologies to chrysalis and yourself old eyes sorry
Instead of binding to an ip, set binding to default (sorry cannot remember it’s name), then there is no conflict
Many thanks
John
-
you mean here ?
(https://image.ibb.co/fDFqEd/Capture.jpg)
(https://image.ibb.co/nyV7ud/Capture2.jpg)
-
we then looked at adding an https certificte for www.meh.com, but come up with a problem that both sites have the same IP address set in the bindings and, apparently, you can't do this if both sites are bound to the same IP - is this correct?
Pretty much. SNI support was only added in IIS 8.0.
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
So unless you bind both sites to separate IP addresses, this is not possible. Unless...
if it is correct how would be get around this and be able to have both domains (along with the sub-domains) SSL certified?
Two options. One is to use a wildcard certificate and bind that to both sites. But that won't work for you because your domains are different.
Second option is to use what's called a UCC certificate. It's basically a certificate that supports multiple domains, also called a SAN certificate. You should be able to get one from Let's Encrypt easily.
Edit: Let's Encrypt now supports wildcards as well (multiple, up to 100).
https://community.letsencrypt.org/t/multiple-wildcard/58205
-
i could migrate the sites to Windows Server 2008 R2, but i believe that's only IIS 7.5 so SNI still wouldn't be an option.
we may look at doing this anyway just to get away from Server 2003.
so Let's Encrypt with wildcards would be the option.
would that still work with the 2 different domains?
i know let's encrypt support is a bit sketchy with IIS but is possible.
the "certify the web" tool for IIS and let's encrypt looks basic at the moment and doesn't support wildcards (unless it's had a recent update?)
-
i could migrate the sites to Windows Server 2008 R2, but i believe that's only IIS 7.5 so SNI still wouldn't be an option.
we may look at doing this anyway just to get away from Server 2003.
Server 2008 R2 goes out of support in Jan 2020 so if you must stay on Windows/IIS, I would look at moving to 2012 R2 or 2016 (preferable).
I wouldn't run anything on 2003 tbh. It has long gone out of support and could have various unpatched vulnerabilities. Plus, you can only support up to TLS 1.0, which is considered 'obsolete' as of June 30th, 2018.
so Let's Encrypt with wildcards would be the option.
would that still work with the 2 different domains?
Yep, it's supported.
https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
A single certificate can have wildcard DNS names for multiple base domains, and can also mix in non-wildcard names.
i know let's encrypt support is a bit sketchy with IIS but is possible.
the "certify the web" tool for IIS and let's encrypt looks basic at the moment and doesn't support wildcards (unless it's had a recent update?)
I've only ever used certbot so I don't know, sorry.
It does look like Certify The Web (v4, which is in beta) supports ACME v2.
https://letsencrypt.org/docs/client-options/
https://github.com/webprofusion/certify/issues/270
There are plenty of other ACME v2 implementations for Windows so have a look around.
If you can't migrate quickly from Server 2003, I'd consider sticking a reverse proxy in front of it. Something like Nginx or HAProxy that will handle TLS offloading. If you can implement WAF as well, that would be a bonus.
-
i looked at cerbot, but it's UNIX only it seems.
-
right i've got a windows 2008 R2 test environment set up.
i've got 2 domains pointing to it and configured IIS for me.
what i now need to work it firstly is how to get both sites working for HTTPS without a certificate, then once both https can be accessed then look at adding a certificate to cover both sites.
is it still correct at this point to set the binding to "all assigned" rather than the listed IP address?
-
bump, finally starting to concentrate on getting this working.
i have 2 domains pointing to this server and my attempt is to get both working with HTTPS and Let's Encrypt.
i am guessing i need to go down the SAN route with Lets Encrypt?
-
is it still correct at this point to set the binding to "all assigned" rather than the listed IP address?
How many IP addresses do you have on that machine? Are they internal (RFC1918) IPv4 addresses (behind a NAT) or public IPs?
-
1 public IP, 1 local IP.
-
bump, finally starting to concentrate on getting this working.
i have 2 domains pointing to this server and my attempt is to get both working with HTTPS and Let's Encrypt.
i am guessing i need to go down the SAN route with Lets Encrypt?
It depends on how you want it all to work. If you only have 1 public IP at your disposal, your options are a bit limited. If you can put a small Linux reverse proxy in front of your IIS web server that handles SSL offloading, you can use SNI, which means you won't have to bother with a SAN certificate. You can use SAN certificates, and as long as they are not wildcards, you should be able to use http-01 challenges, which means you won't have to muck about with getting dns-01 automated during renewal time.
http://letsencrypt.readthedocs.io/en/latest/challenges.html
If that is not an option, and your Windows 2008 R2 box is the one handling the TLS connection, you have to use a multi-domain (SAN) certificate. As long as none of the DNS names are wildcards, you should be able to use http-01 challenge. I have no idea how well Certify The Web integrates with IIS and handles it all, but I'm guessing it should work as the mechanism is quite simple.
If you tell me more about your setup, I can try and help.
-
1 public IP, 1 local IP.
On the same server on separate NICs?
-
I'll need to check in the morning when I'm back in, but I suspect 1 NIC.
I can give you more detailed info about the setup then.
I'm fully expecting to have to push for upgrade to iis8 though.
-
ok so here is what this server has
C:\Users\grays>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : CTECH-GLA-VWEB5
Primary Dns Suffix . . . . . . . : ad.******.co.uk
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ad.******.co.uk
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8A-1C-6A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.232.16.61(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.232.16.11
DNS Servers . . . . . . . . . . . : 10.232.111.21
10.232.111.51
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{BAC38D81-3251-402A-B9AC-D184E76E6AB1}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Windows Server 2008 R2
for testing, i currently have 2 "sites" set up in IIS (both just HTTP for now).
1 single public IP that hits the firewall which then routes the traffic from port 80 (and 443) to the server on the internal IP
(https://image.ibb.co/fGKbjT/Capture.jpg)
(https://image.ibb.co/cjCkdo/Capture2.jpg)
binging options that are available are
(https://image.ibb.co/ctEM4T/Capture.jpg)
with regards to the suggestion about nginx. i definitely wouldn't get approval for putting in a linux box anywhere on the network.
i might be able to get nginx installed on this server alongside IIS, but that would only be at a last resort.