IIS 7.5 - can 2 sites run on same port with different FQDN certificate - iis

We used to have a setup on IIS 7.5.
- 1 IIS has 2 websites both run on 443.
- It has different host names in the binding - site1.domainname.com, site2.domainname.com
- Both sites were bound to a wild card SSL cert - *.domainname.com,
and this worked fine for years.
Because of an audit, we had to move to a FQDN certificate.
Now when I bind the FQDN certificate on a site, it does not allow me to add a host name.
http://screencast.com/t/sowdaziJV
It says you can't start the second site as another website is already running on the same port.
This made sense until another internal team got it working. My guess is they used scripting to allow this on IIS instead of IIS GUI.
They have 2 websites running on the same port with different SSL certificate with no Hostnames.
I found out an odd thing about their setup and I was able to set it up like that too.
Have the sites with wild card certs and hostnames.
Change site one with the FQDN cert.
DON'T Change site 2 with FQDN cert.
It automatically takes the new certificate and keep the host name
They both stay up. If you look at site 2, it looks like it has a hostname binding. but if you edit that hostname is gone. See this figure.
http://screencast.com/t/z5y4n7KhGNE
Questions:
Is IIS running 2 websites on the same port with different FQDN certificate an expected behaviour?
I am worried if they took advantage of a bug. I want to be sure if this is allowed before I do this in production.

They probably turned on SNI. SNI allows the server to discern between a host name and route it to the correct site and then send back the SSL cert associated with the site. The problem is, not all browsers support SNI handshakes. SNI only started with server 2012, so the other team might be running that. Previously, IIS couldn't do this, so each site had to have its own IP / SSL cert. Now, you can run all on 443 for one site, and IIS can figure out which site to respond with by looking at the request.

Related

Hosting two SSL sites (different host name) on same server with different certificates and without ports (i.e. 443)

We have a SharePoint site https://example.com hosted on port 443.
There is another site https://anotherexample.com that should be hosted on same server and without port (i.e. 443).
Both the certificates are issued to different host names (i.e. not wildcard certificate).
How can I achieve above scenario?
Any help is much appreciated!
Edit: I'm working on IIS 8.
Best way to achieve this on IIS 8 is to use Server Name Indication. It allows the server to host multiple certificates for multiple sites under a single IP address.
For more detailed instructions, please refer here.

IIS 7 using an SSL cert for default sites that do not have https bound or certs assigned

I have a IIS7 server with several sites on it lets call them 'Site A','Site B','Site C','Site D' and 'Site E'. Site A to C are basic sites and share a common IP (this is the default server IP), Sites D and E host more complex sites and each have a unique IPs and SSL certs assigned (these IP's are from a different block).
When for some reason a user trys to connect to sites A to C with https:// they get an SSL error and are shown 'Site D's' certificate name.
I cannot see how this is being assigned, and I would have thought the separate IPs would not have allowed this to occur. The cert assigned is alphabetically superior and was also created first. So that might be the reason why?
I can't understand why a cert that is not specifically assign to an IP is being used - especially for site that aren't eve using port 443 and after searching around have not been able to find this discussed.
It is very likely that your server's initially setup does not match your description right now, which leads to inconsistent certificate mapping resides in http.sys settings.
You can run netsh http show sslcert to print out all existing mappings and revise them accordingly.
For example, sites bind to certain IPs should have their certificates map to those IP addresses only, instead of 0.0.0.0 which interferes with other sites.

Wrong SSL certificate is returned for an Azure website

We have two websites in Azure under different subscriptions which use the same UCC SSL certificate. Everything had been good for a long time until a week or two ago we noticed that one of the sites does not really have our certificate (although it was configured in Azure successfully). When browsing to it using "https" we can see that "https" becomes red, and if we click on it it says: "Server's certificate does not match the URL". The detailed information about the certificate says that it was issued to "*.azurewebsites.net", not to our domain. So seems like the default Azure certificate is used instead of ours.
At the same time our second website works perfect with "https", and the certificate shown is correct. I re-installed the certificate to both sites and re-created SSL bindings using SNI SSL, but it still works only for one of them.
Any ideas on what can cause this?
In the Azure website configuration switch from SNI SSL to IP Based SSL.
Once you do that you should have a Virtual IP Address that can be found in the Dashboard tab of the Website on the Azure portal.
In your web hosting provider make sure the www and # records point to the Virtual IP Address instead of pointing to your xxx.azurewebsites.net URL.

How to host multiple SSL sites on a single Host in IIS 7

I am having some trouble with hosing.
Currently on our server have have 6 or so IIS sites hosted. They are all http currently: and work on port 80 with the host names set.
Now I want to go an change them to use SSL. But this then removes the ability to use the Host headers.
I have tried using self generated ssl cert from within IIS Manager before I go out and buy real ones. But the issue I am having is that it seems that the SSL cert is linked to an IP address. I can add the ssl cert to one site. But after that When I try assign site 2. it says that there are no Ip addresses.
So My question which Im hoping someone can explain how it works when multiple sites are hosted with iis on the same machine.
Do I have to get a wildcard SSL Certificate?
Do I need to have a unique IP address for each site being hosted?
If not, could somebosy please help and try explain to me what I need to do in order to achieve this.

IIS 6: Set up 2 SSL web apps on the same server on port 443

I was asked to create a sharepoint web application with ssl on a server with sharepoint 2010 installed. The problem is that this port seems to be in use for hosting our subversion repository. So when i try to browse my sharepoint site, it just shows a page with my repository. I've read about installing certificates and configuring multiple sites on one port with host headers but i never succeeded to complete this job. I would really appreciate some help here.
Thanks!
Assuming you're talking about individual SSL certificates (as opposed to a single wildcard certificate), I believe each website HAS to have its own IP address. AFAIK it is not possible to run multiple websites with multiple SSL certificates under the same IP address.
Depending on who is hosting the server, you would need a new IP address to be allocated to the server, and then within IIS you use the new IP address against the hostheader of your new website. You should find that the certificate works correctly, if not then try removing the certificate from the website and re-allocating it.
You would only be able to use a wildcard certificate if the primary domains of the websites were the same (e.g. website1.mydomain.com and website2.mydomain.com).
Thomas,
I've run into a similar situation before where the requirements dictated that we use 1 ip address, but the domains will be different (eg. website1.com, somesite.org, website2.us).
You can achieve this by using a Unified Communications certificate with Subject Alternative names. Currently, Digicert offers a UC certificate that can achieve this, but some other CA's will not.
Essentially you will have 1 certificate bound to :443 on the same ip address. The big drawback to this is that if the cert goes down, all the sites SSL will not work.
You have to manually (via powershell) bind each domain to port 443 however, but the instructions are fairly simple.
Server Name Indication would be another way, but it's not even an option in IIS 6

Resources