SSL Configuration Issue on IIS 6 - iis

Need help with this odd issue.
I installed an SSL Certificated from GoDaddy for a site hosted on our server (lets call this example.com). This is a Windows 2003 Server with IIS 6 with several domains hosted on it. The SSL installed properly.
However, now if I type any url of a different domain (say example.org) hosted on this same server with HTTPS, I get the following error in Chrome:
Your connection is not private
Attackers might be trying to steal your information from
(for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
Firefox will also give similar errors.
example.org has no SSL associated with it and there are no other SSL Certificates for any other sites either.
I am at a loss as to how ALL sites on the server are loading with SSL. Funny thing is that clicking on the link in browser error loads the Site to which SSL is assigned, but URL remains the same.
Ex. I type https://example.org (NO SSL Associated with this site) and type enter
I see the error above
If I click on Proceed to example.org (unsafe), it takes me to https://example.org but the content loads for domain example.com which has the SSL certificate bound to it.
I have checked Metabase for Bindings and seems clean.
I have deleted the SSL certificate and installed a fresh one issued from Godaddy
Tried deleting the site from IIS and recreating the whole thing but still no difference.
No other site has any host headers for SSL Port 443
Any ideas on how this can be resolved so that ALL Sites don't load on SSL? Thanks in advance.

Go to IIS Manager.
Open property page of website where you dont need SSL (example.org as mentioned in question) by right click on website and select properties.
Go to directory security tab
Click Edit button located in ottom section of tab.
Verify if very first checkbox called "Require secure channel(SSL)" is UNCHECKED.

Related

Non https web sites display the content of https sites

We have a cpanel server that hosts some web sites. we have 2 hosts that use SSL. When I open a non SSL website with http:// everything is ok but when I type https:// , it shows the contents of one of the SSL websites instead of displaying not found error!!
Usually the first one which is defined in httpd.conf.
I also signed up in cPanel forum, but I do not know how to post a new question!! I cannot find post a question or new post or something like that.
Any help is appreciated.
Your question is really confusing. It would be better if you can edit and elaborate your question. Still let me guess your question and answer it.
Your cPanel server has hosted more than one websites, out of them only two have SSL certificate. Let me guess those two sites as abc.com and xyz.com. Now if I have understood your question properly, when you try to access 123.com (which is non HTTPS website) with HTTPS it is showing content of abc.com.
If yes, then this case refers to SSL misconfiguration. To solve this issue, SSL certificate should be installed properly on both websites and only those two sites can be accessible with HTTPS. It is advisable to use SSL Certificate checker for both sites to know whether SSL is installed properly or not.

Is it true that ASP.NET MVC Browser link does not work for https (SSL) url?

I am trying the Browserlink feature of ASP.NET MVC 5 and everything works great for non SSL pages. But if I navigate to a SSL page (with https url), I see 0 connections in the Browser link dashboard. So, is it true that Browser link works only for non SSL urls ? Or am I am missing any settings which will allow me to get Browser Link connection for both SSL and Non SSL urls ?
(I am testing from IIS)
According to this link, Microsoft is working on it.
I have been able to get around the issue by following these steps (using Chrome):
When the debugger opens the browser, open the F12 tools.
Go to the Console tab.
There should be an error message that looks something like this: GET https://localhost:[port]/[guid]/browserLink net::ERR_INSECURE_RESPONSE
Open the link in a new tab.
Click Proceed anyway.
Close the Browser Link tab.
Reload the tab with your app.
Browser Link should then start working.
I've also worked around it by getting the script link, reducing it to the root, and browsing there. Once there, accept the cert warning then view the cert and install it into the trusted roots. From then on, the cert will be trusted and the script will load automatically.
It appears that this limitation has been removed in Visual Studio 2015. I do not see any mention of this in the release notes, but Browser Link is fully operational in my dev environment under SSL.
I was unable to get Browser Link, Web Essentials, to work with SSL, even with the mentioned remedies. I was able to find a way, however, to get it work for me.
I am running my app through IIS (not express) and my app was nested under the default website. When debugging the site I saw that Chrome was dumping a connection error with a URL using port 44399. Adding a binding for this port, for https, then allowed the connection to be successful. I also used a local development cert for the SSL Certificate.
DISCLAIMER: Visual Studio tries to be your buddy and not use ports that you've bound to in IIS so once you close and re-open Visual Studio it will likely not use the 44399 port anymore. It looks like it decrements until it finds the next available port. So assuming you're not using 44398 this will be your number. Once you unbind 44399, then close and re-open Visual Studio it will likely rebind to 44399 again.
Hopefully this helps some of you out.
I had a similar issue involving custom domains and subdomains on IIS Express over HTTPS.
(Using SSL certificate I self-signed with support for localhost and my custom domain, installed with self-signed root authority in the trusted certificate store)
I had got IISEx to use the certificate and serve it on port 443 (as admin user), but browserlink was failing with CONNECTION_RESET.
This persisted even after switching back to using localhost as the website url for IIS etc.
Turns out I had forgotten to replace the certificate associated with the other ports IIS Express uses (specifically port 44399), which were still associated with the default development certificate used by IIS Express
http://www.iis.net/learn/extensions/using-iis-express/handling-url-binding-failures-in-iis-express
http://benjii.me/2014/11/run-iis-express-on-port-443-using-ssl-and-wildcard-subdomains/
[Simple Guide but missing the delete existing certificate bindings guidance]
For Windows 10 IIS Express users.
In visual studio click "View in Browser" in Browser Link
Dashboard .
An IIS Express icon will appear in system tray.
Right Click the IIS Express icon.Your application should be listed in both HTTP and HTTPS.
Hope it helps.

Trying to use a UUC multiple site certificate with IIS 7.5

I've been trying unsuccessfully to use a UCC multiple site certificate to provide SSL to my subdomains (for example, I have the certificate set for www.example.com and I would like to bind it to sub1.example.com and sub2.example.com). These sites are all on the same ip.
The problem I'm having is that when I try to bind the certificate to the subdomains, strange behavior begins to happen. When attempting to use https with the subdomains, they redirect to the root site in some strange way (the URL reads https://sub1.example.com but displays the page https://www.example.com).
I've tried multiple solutions both through the IIS manager and the command line (appcmd in inetsrv), but nothing seems to be working. Any insight into the problem?
The IIS GUI manager is not able to configure these types of certificates properly, but command line should:
appcmd set site /site.name:{SITE NAME AS PER IIS GUI} /+bindings.[protocol='https',bindingInformation='{IP ADDRESS TO BIND TO}:443:{HOSTHEADER OF WEBSITE}']
http://sslnews.blogspot.com/2010/11/requiring-multi-domains-to-wildcard-ssl.html

Force http for subdomain without SSL

I recently moved servers and redeveloped the website at the same time. Previously all pages were served via https and I wanted to change this so only cart pages were via https. Also I wanted to clean up the url a bit. Old urls were:
https://secure.mydomain.com/onlinestore/index.php
and I removed the secure prefix and the subfolder so it is now:
http://www.mydomain.com/index.php
Problem is I wanted people who clicked on old links or bookmarks to be redirected to the new page. I got this working with htaccess. However the new SSL only covers the root domain and not the secure subdomain. So if someone clicks an old link it brings up "This Connection is Untrusted" before it can redirect. Works fine if i change https to http.
So what I want to know is if there is anyway I can force http instead of https before it checks the SSL cert.
Hope that makes sense!
The short answer is no. With conventional SSL, your web server doesn't even get to see the URL before certificate negotiation happens. It just sees a connection on port 443 and starts doing SSL negotiation. The browser then sees the mismatched cert and throws an exception.
However, more modern browsers and web servers (see Wikipedia for the list) support a TLS extension called Server Name Identification (SNI), which allows the client to send the hostname it's requesting before the server has to respond with a certificate. At that point you'll need to have certificates for both secure.mydomain.com and www.mydomain.com on that server, and it'll need to be configured to respond with the proper certificate.

Need help with setting up SSL

Newbie IIS question:
I want to setup HTTPS access for my XHTML page (not asp.net) hosted on my IIS 6.0 server. So far I have done the following:
In IIS Manager, for the particular folder, the following are set:
Require secure channel (SSL)
Require 128 bit encryption
Ignore client certificates
However when I try to access the page from IE 8.0 there is the following error:
"Internet explorer cannot display the page".
The options for using SSL and TSL are ON in the IE settings. Same error with Firefox also.
Apart from the above is there any else I should setup on the IIS server?
Have you generated a self-signed server certificate?
Here are the official instructions for setting up SSL in IIS. You can find directions here for creating a self signed certificate if that is the route you want to take.

Resources