0

I have these sites: app.example.com api.example.com staff.example.com www.example.com / example.com

I used LetsEncrypt to generate free SSLs for each of the sites. Things seem to be fine except it seems that only one SSL cert is being served for all of the sites! I even removed and manually readded the SSL bindings to each of the sites and still had the same problem. I ended up removing all of the SSL certs except my API one and removed all of the SSL bindings except for the API Web Site, and bizarrely, I can still load the other sites as HTTPS even though I removed the SSL bindings for those Web Sites (the remaining SSL cert is of course showing for all of the sites still)! Wth? I thought you need the 443/SSL Bindings in order to even browse that site via https! I can confirm that these are all individual Web Sites, not Virtual Apps inside of a single Web Site. What am I missing? How can I get IIS to serv up the right cert for the right Web Site? This is a Azure VM running Win Server 2012 R2.

Serj Sagan
  • 315
  • 5
  • 13

2 Answers2

2

This can be done with Server Name Indication

From the IIS management interface, you can select each web site, and Edit Bindings....

In the pop-up window, select the https site and the Edit... button. Fill in the Host name: field with the specific website host name, check the Require Server Name Indication and select the specific ceritificate to use for that site in the SSL certificate dropdown.

This will allow you to host multiple secure sites on the same server. It is an improvement introduced in IIS v.8

simonpa71
  • 230
  • 1
  • 14
  • I'm sure this has been answered elsewhere, but I can't find it. Maybe a moderator can chip in and provide a link – simonpa71 Sep 22 '16 at 10:07
  • I had the exact same setup done on a web server not 15 minutes ago, works as advertised. this saved me a ton of work (adding extra IPs/NICs to my server for extra SSL binding) – Noor Khaldi Sep 22 '16 at 11:57
  • All of my sites have that turned on and it is still having this problem. – Serj Sagan Sep 22 '16 at 15:25
  • could these questions help? * [wrong certificate served](https://stackoverflow.com/questions/12866117/the-incorrect-localhost-certificate-is-being-served-by-iis) and [who is serving the certificate](http://serverfault.com/questions/611531/how-do-i-determine-where-an-ssl-certificate-is-being-served-from) – simonpa71 Sep 23 '16 at 09:27
0

You need to get a certificate that has all those names as subject names or a wildcard certificate. So, single certificate will be used for all of them. After that, you can configure each website with that certificate and SNI.

Mer
  • 991
  • 4
  • 9