IIS6: Web Site presenting the wrong SSL certificate

ssl-certificate windows-server-2003 iis-6

Consider an IIS6 installation with multiple Web Sites. Each is intended to be a different subdomain with its own cert (not a wildcard cert). Each has their host-header specified properly.

  • foo.example.com - port 443. Require SSL w/128 bit. Working properly! It presents its SSL cert properly to the browser. Configured for a specific IP address.

  • bar.example.com - port 443. Require SSL w/128 bit. Configured for all unassigned addresses. When inspecting the IIS property page, it fully shows the cert for bar.example.com on the View Certificate button. This is a NEW web site that is having cert problems. It's presenting the cert for foo.example.com. Ouch!

alt text http://www.imagechicken.com/uploads/1251156847014486300.png

Question: can you have more than one subdomains both running on separate websites with SSL certs on the same port (443)? How would you configure 2 web sites on the same range of 'all unassigned' for the same port (443) ?

Update: ignoring the cert error, when browsing to https://bar, the content served is from https://foo site.

When NOT using SSL, browsing to http://bar serves the correct content from bar.

Just one address is assigned to this DMZ server.


SSL certificates are bound to the internal IP address of the web server, not the external IP addresses.

Let's say you have foo.example.com bound to Public IP A and bar.example.com on Public IP B, but your web server only has the IP address 192.168.0.1

Whether the request comes in on IP A or IP B, it is still going to end up at 192.168.0.1. Which means that IIS has no choice but to use the certificate that is assigned to foo.example.com.

To work around this issue, you will need to have multiple IP addresses assigned to your web server. This is easy to do. Speak to your sysadmin to have some IP's removed from the DHCP range (or ask him/her which ones you can use), then go to your properties for the network card (Control Panel > Network Connections), and go to the properties for TCP/IP.

You will need to have a static IP enabled in the first place (being a server I hope this is done anyway), and then click Advanced, and under the box for "IP addresses" click "Add" - and enter the new IP addresses you've been assigned by your sysadmin (Let's say 192.168.0.2).

Then, at your router, you need to ensure that requests from IP A on port 443 go to 192.168.0.1 and that all other requests on port 443 go to 192.168.0.2.

Then, in your IIS configuration, you need to bind the SSL Cert from foo.example.com to 192.168.0.1, and bind the rest to 192.168.0.2 (or leave as All Unassigned, as you have).

If this doesn't work, or you already have this configured, update your question and leave a comment to let us know.

Update: I just saw your comments, thanks for the update. You will need to ensure foo.example.com and bar.example.com are on two different public IP addresses. The reason being that because the packets are encrypted, there's no way you can use hostname based routing to send the request to the right IP address (I believe this is the case. If anyone knows different, let me know). The only part of the request that's visible to the routers is the destination IP. This is why you can only have one SSL per IP address. So you will need to have public IP's for this to work, and in your DNS an A record for bar.example.com that is different to foo.example.com.


In support of Farseeker, from Thawte:

Although the certificate is not tied to the IP address a unique IP address must be assigned to the domain as SSL is IP based and does not resolve to name based virtual hosts

If your server has only 1 IP address, the "All unassigned" can do nothing but point to that same, single IP address.


It sounds like "bar" is going to the same IP address as "foo" is using. Since "foo" is specifically configured to answer on that IP address, it grabs the request. The "host headers" don't apply for SSL requests (that's why IIS has a separate panel for standard requests with the ip/host/port mapping and another for ssl ip/port mapping, but no hostname).

Check your DNS records and ensure that "bar" is using a different IP from "foo" and your problem should be corrected.

When I configure SSL sites I give each domain that needs SSL its own IP address, and use a "common" IP for everything else. The DNS records, of course, need to use the correct address so that the correct site entry in IIS will handle the traffic.

Related

Alternatives to Citrix NetScaler?
NAT as a firewall
fast VNC server on Linux
Please help me add to this script to get server hardware info
Performance Benefits of Adding a Second Network
Don't use htpasswd if coming from local host
Is there a way for elegant source code listings in OpenOffice.org Writer?
Is there a way to export Word styles as CSS?
VIM - leaves .swp files after crash
git fetch: how to ignore new branches
Can I set the umask on a specific directory?
Is there a speed difference between transferring files over FTP and Samba?