SSL certificates apparently confusing different websites
My VPS contains a dozen or so websites, with several SSL certificate including the following.
- *.railtrax.com
- *.insiderarticles.com
Currently, all the *.railtrax.com websites are working fine. But the *.insiderarticles.com website (I only have one) is giving me an error in the browser (note the last paragraph).
Your connection isn't private
Attackers might be trying to steal your information from insiderarticles.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
This server couldn't prove that it's insiderarticles.com; its security certificate is from *.railtrax.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
As you can see, the certificate for insiderarticles.com says it was issued to *.railtrax.com.
Insiderarticles.com Certificate
But I have the correct certificate selected.
Insiderarticles.com Edit Bindings Dialog
If I use Jexus to run binding diagnostics, I get the following errors:
BINDING: http 74.208.136.116:80:insiderarticles.com
Found a conflicting TCP reserved port range. Please run "netsh int ipv4 show excludedportrange protocol=tcp" at command prompt to troubleshoot.
BINDING: http 74.208.136.116:80:www.insiderarticles.com
Found a conflicting TCP reserved port range. Please run "netsh int ipv4 show excludedportrange protocol=tcp" at command prompt to troubleshoot.
BINDING: https 74.208.136.116:443:insiderarticles.com
Found a conflicting TCP reserved port range. Please run "netsh int ipv4 show excludedportrange protocol=tcp" at command prompt to troubleshoot.
BINDING: https 74.208.136.116:443:www.insiderarticles.com
Found a conflicting TCP reserved port range. Please run "netsh int ipv4 show excludedportrange protocol=tcp" at command prompt to troubleshoot.
And if I run the suggested command, I get the following.
But this isn't helpful to me.
Everything else about the certificates appears valid. I installed the certificate for *.insiderarticles.com and it was working fine. After I installed the certificate for *.railtrax.com, that's most likely when insiderarticles.com stopped working.
Could this have anything to do with the Require Server Name Indication checkbox? This checkbox was checked for insiderarticles.com and unchecked for all the *.railtrax.com websites. I tried checking this option for all the *.railtrax.com websites, but it didn't appear to make any difference.
Can anyone recommend next steps to troubleshoot this?
Originally, you could only use a single certificate for an IP:port pair is IIS. This was because host header is not visible during SSL handshake when IIS picks the certificate to be used.
As a solution to this limitation SNI was introduced. It is available in IIS 8 and later and supported by modern browsers (list is here) . You should enable SNI for all web sites, but you might want to have it turned off for a web site which would be used by legacy browsers that do not support SNI. Those legacy browsers would still get SSL certificate name mismatch error.
So your options are one of the following:
- if legacy browser support is not important, enable SNI for all web sites, except for the one you pick as default for legacy browsers
- add one more public IP address to your server. Bind each certificate to different IP:port pair
- purchase a single certificate which can cover both wildcard domains. It is called Multi-Domain Wildcard SSL Certificate or SAN Certificate
I'm now thinking that the Require Server Name Indication is the issue.
I indicated I tried checking this option for all my railtrax.com websites and that this made no difference. Looking again today, it appears I missed one. After checking that one, it now seems to be working.
It's possible that something else is at play here. But so far it appears this is the answer. I'm a little surprised more people here didn't seem familiar with this.