Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: IIS with multiple sites - SSL certificates  (Read 7365 times)

chenks

  • Kitizen
  • ****
  • Posts: 1106
IIS with multiple sites - SSL certificates
« on: June 15, 2018, 12:07:57 PM »

i know there are a couple of IIS experts here, so i have this question.

currently the IIS server has two domains pointing to it.
1 domain is a single site - www.blah.com
the other domain has the main site and a few sub-domain sites - www.meh.com, test.meh.com, test2.meh.com etc etc. these are all set up as individual standalone "sites" in IIS.

all works well.

we added a https certificate to www.blah.com, so now we have http://www.blah.com and https://www.blah.com, and IIS set to SSL required and the relevant 403 error page for that site set to redirect to the https version. again all works fine.

we then looked at adding an https certificte for www.meh.com, but come up with a problem that both sites have the same IP address set in the bindings and, apparently, you can't do this if both sites are bound to the same IP - is this correct?

if it is correct how would be get around this and be able to have both domains (along with the sub-domains) SSL certified?
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: IIS with multiple sites - SSL certificates
« Reply #1 on: June 15, 2018, 12:25:38 PM »

Hi chrysalis

It depends upon your mapping’s

You can install cert as a server cert and tell site to use that cert

What iis version are you using

Many thanks

John
Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: IIS with multiple sites - SSL certificates
« Reply #2 on: June 15, 2018, 12:33:10 PM »

i'm chenks, not chrysalis  ;D
it's IIS 6 running on Windows Server 2003 (yes i know.. nothing i can do about it).
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: IIS with multiple sites - SSL certificates
« Reply #3 on: June 15, 2018, 12:56:11 PM »

Hi chenks

Apologies to chrysalis and yourself old eyes sorry

Instead of binding to an ip, set binding to default (sorry cannot remember it’s name), then there is no conflict

Many thanks

John
Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: IIS with multiple sites - SSL certificates
« Reply #4 on: June 15, 2018, 01:00:16 PM »

you mean here ?



Logged

highpriest

  • Reg Member
  • ***
  • Posts: 285
Re: IIS with multiple sites - SSL certificates
« Reply #5 on: July 10, 2018, 05:43:04 PM »


we then looked at adding an https certificte for www.meh.com, but come up with a problem that both sites have the same IP address set in the bindings and, apparently, you can't do this if both sites are bound to the same IP - is this correct?

Pretty much. SNI support was only added in IIS 8.0.

https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability

So unless you bind both sites to separate IP addresses, this is not possible. Unless...

Quote
if it is correct how would be get around this and be able to have both domains (along with the sub-domains) SSL certified?

Two options. One is to use a wildcard certificate and bind that to both sites. But that won't work for you because your domains are different.

Second option is to use what's called a UCC certificate. It's basically a certificate that supports multiple domains, also called a SAN certificate. You should be able to get one from Let's Encrypt easily.

Edit: Let's Encrypt now supports wildcards as well (multiple, up to 100).

https://community.letsencrypt.org/t/multiple-wildcard/58205
Logged
Zen | Zyxel VMG8324-B10A (with RFC4638 patch) | EdgeRouter PoE | UniFi AP AC Pro + Lite

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: IIS with multiple sites - SSL certificates
« Reply #6 on: July 10, 2018, 06:20:02 PM »

i could migrate the sites to Windows Server 2008 R2, but i believe that's only IIS 7.5 so SNI still wouldn't be an option.
we may look at doing this anyway just to get away from Server 2003.

so Let's Encrypt with wildcards would be the option.
would that still work with the 2 different domains?

i know let's encrypt support is a bit sketchy with IIS but is possible.
the "certify the web" tool for IIS and let's encrypt looks basic at the moment and doesn't support wildcards (unless it's had a recent update?)
Logged

highpriest

  • Reg Member
  • ***
  • Posts: 285
Re: IIS with multiple sites - SSL certificates
« Reply #7 on: July 11, 2018, 05:34:34 PM »

i could migrate the sites to Windows Server 2008 R2, but i believe that's only IIS 7.5 so SNI still wouldn't be an option.
we may look at doing this anyway just to get away from Server 2003.

Server 2008 R2 goes out of support in Jan 2020 so if you must stay on Windows/IIS, I would look at moving to 2012 R2 or 2016 (preferable).

I wouldn't run anything on 2003 tbh. It has long gone out of support and could have various unpatched vulnerabilities. Plus, you can only support up to TLS 1.0, which is considered 'obsolete' as of June 30th, 2018.

Quote
so Let's Encrypt with wildcards would be the option.
would that still work with the 2 different domains?

Yep, it's supported.

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

Code: [Select]
A single certificate can have wildcard DNS names for multiple base domains, and can also mix in non-wildcard names.
Quote
i know let's encrypt support is a bit sketchy with IIS but is possible.
the "certify the web" tool for IIS and let's encrypt looks basic at the moment and doesn't support wildcards (unless it's had a recent update?)

I've only ever used certbot so I don't know, sorry.

It does look like Certify The Web (v4, which is in beta) supports ACME v2.

https://letsencrypt.org/docs/client-options/
https://github.com/webprofusion/certify/issues/270

There are plenty of other ACME v2 implementations for Windows so have a look around.

If you can't migrate quickly from Server 2003, I'd consider sticking a reverse proxy in front of it. Something like Nginx or HAProxy that will handle TLS offloading. If you can implement WAF as well, that would be a bonus.
Logged
Zen | Zyxel VMG8324-B10A (with RFC4638 patch) | EdgeRouter PoE | UniFi AP AC Pro + Lite

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: IIS with multiple sites - SSL certificates
« Reply #8 on: July 11, 2018, 07:30:31 PM »

i looked at cerbot, but it's UNIX only it seems.
Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: IIS with multiple sites - SSL certificates
« Reply #9 on: July 14, 2018, 08:56:57 PM »

right i've got a windows 2008 R2 test environment set up.
i've got 2 domains pointing to it and configured IIS for me.

what i now need to work it firstly is how to get both sites working for HTTPS without a certificate, then once both https can be accessed then look at adding a certificate to cover both sites.

is it still correct at this point to set the binding to "all assigned" rather than the listed IP address?
Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: IIS with multiple sites - SSL certificates
« Reply #10 on: July 24, 2018, 06:59:56 PM »

bump, finally starting to concentrate on getting this working.
i have 2 domains pointing to this server and my attempt is to get both working with HTTPS and Let's Encrypt.

i am guessing i need to go down the SAN route with Lets Encrypt?
Logged

highpriest

  • Reg Member
  • ***
  • Posts: 285
Re: IIS with multiple sites - SSL certificates
« Reply #11 on: July 25, 2018, 09:57:25 PM »

is it still correct at this point to set the binding to "all assigned" rather than the listed IP address?

How many IP addresses do you have on that machine? Are they internal (RFC1918) IPv4 addresses (behind a NAT) or public IPs?
Logged
Zen | Zyxel VMG8324-B10A (with RFC4638 patch) | EdgeRouter PoE | UniFi AP AC Pro + Lite

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: IIS with multiple sites - SSL certificates
« Reply #12 on: July 25, 2018, 10:00:09 PM »

1 public IP, 1 local IP.
Logged

highpriest

  • Reg Member
  • ***
  • Posts: 285
Re: IIS with multiple sites - SSL certificates
« Reply #13 on: July 25, 2018, 10:43:35 PM »

bump, finally starting to concentrate on getting this working.
i have 2 domains pointing to this server and my attempt is to get both working with HTTPS and Let's Encrypt.

i am guessing i need to go down the SAN route with Lets Encrypt?

It depends on how you want it all to work. If you only have 1 public IP at your disposal, your options are a bit limited. If you can put a small Linux reverse proxy in front of your IIS web server that handles SSL offloading, you can use SNI, which means you won't have to bother with a SAN certificate. You can use SAN certificates, and as long as they are not wildcards, you should be able to use http-01 challenges, which means you won't have to muck about with getting dns-01 automated during renewal time.

http://letsencrypt.readthedocs.io/en/latest/challenges.html

If that is not an option, and your Windows 2008 R2 box is the one handling the TLS connection, you have to use a multi-domain (SAN) certificate. As long as none of the DNS names are wildcards, you should be able to use http-01 challenge. I have no idea how well Certify The Web integrates with IIS and handles it all, but I'm guessing it should work as the mechanism is quite simple.

If you tell me more about your setup, I can try and help.
Logged
Zen | Zyxel VMG8324-B10A (with RFC4638 patch) | EdgeRouter PoE | UniFi AP AC Pro + Lite

highpriest

  • Reg Member
  • ***
  • Posts: 285
Re: IIS with multiple sites - SSL certificates
« Reply #14 on: July 25, 2018, 10:45:46 PM »

1 public IP, 1 local IP.

On the same server on separate NICs?
Logged
Zen | Zyxel VMG8324-B10A (with RFC4638 patch) | EdgeRouter PoE | UniFi AP AC Pro + Lite
Pages: [1] 2
 

anything