So I just tested this out today. I have three different addresses I was trying to get a cert installed for.
www.MyCompany.com
shop.MyCompany.com
bigAPI.MyCompany.com
At first I tried setting “Selected Site” as MyCompany.com and “Add domains to certificate” as the three listed above. In IIS my main site www [dot] mycompany [dot] com was just mycompany [dot] com and bound to port 80.
On Domains and Subdomains to include I just checked to include mycompany [dot] com
When I requested the cert everything went kind of OK, I tried the task to save Deploy to Generic Server and no matter what directory I picked on the server it failed with “access denied” I even gave full control over the directory to everyone.
But the worst part is the cert that was installed was Web01 [dot] mycompany [dot] com where Web01 is the machine name.
Then I tried changing IIS so the main site was www [dot] mycompany [dot] com and installing just for that site alone. I got the same results cert is computerName [dot] domain [dot] name
This doesn’t work very well as all browser say the certificate is not valid and not trusted.
Can someone tell me what I am doing wrong that all my certs show up as computerName [dot] domain name instead of www [dot] domain [dot] name
Thanks in advance. Sorry for all the [dot] but the forum is saying because I am new I can only put 5 urls in my post. Pretty humorous when you are trying to describe URL problems.
Hi, it’s not clear why you tried to use Generic Server export if you’re just using IIS - this is already done automatically for you. Unless of course you are using something else like Apache? The export needs an actual file path, not just a folder name and has to run as an authorised user because it does not run as your user account.
Please email support at certifytheweb.com with details of your actual real domains/sites if they have to be confidential. Hiding your domain here just means nobody can really help.
The app is used by thousands of people per day so I can assure you the process does work well, however I can see you may be trying to do many things at once, which is making the process unusually complex.
No it doesn’t have to be confidential.
www.zimbaroos.in
oasisapi.zimbaroos.in
I was doing the generic export because in the near future we will move to node js / apache
but the second run I did I only selected the very basic options and didn’t even try the export. Figured I could work that out later. It was for www.zimbaroos.in but cert came back as web01.zimbaroos.in Web01 is the computer name.
Thanks! I really appreciate the quick response and the help.
Hi,
So I’ve had a quick look at your sites and I can see that your IIS webserver is serving the web01.zimbaroos.in certificate. The normal reason for this is that you have an existing https binding setup that’s using a fixed IP or is not using SNI (Server Name Indication).
SNI is a technique to match the hostname/domain requested to the matching ssl certificate then use the correct certificate for further https communications with that hostname. If you don’t have SNI enabled for an existing https certificate binding in IIS then the most specific binding (the web01.zimbaroos.in) gets priority in Windows, this results in people browsing to your site and getting served the wrong certificate. Windows/IIS has supported SNI since Server 2012, so old ssl instructions sometime don’t mention it and some people still try to set up https connections against IP address, which you must not do unless you absolutely understand the implications (on Windows, each IP + port can only map to one ssl certificate, unless you use SNI).
I’d guess that you have some sort of website control panel software and that automatically created the default website and that setup an https binding for it with this (self signed, invalid) web01 certificate. To proceed you must find and delete the invalid https binding.
If you look at your other IIS sites in IIS Manager, check the Bindings… option on each site:
- check there is an http binding for each domain you want to associated with each site
- Review (edit) the existing https bindings to ensure they are associated with the correct certificate (which should be the ones Certify created for you).
You can see which bindings Certify will update when you click the Preview tab in the app, at the bottom of the preview page there is a summary of the https bindings the app will add/update.
With the Deployment mode in the deployment tab set to Auto, Certify will look for http or https which match the domains on your certificate and create/update corresponding https bindings.
You can definitely also use the Generic Server export (or the Certificate Export tasks) to extract the certificate in various formats for other types of server software, but that’s a separate issue to the primary problem of IIS serving the wrong cert.
Thank you very much. That got me completely sorted out. Seems the sys admin that set up the server put in one test site that was not set up as SNI and that was mucking up the whole works. As soon as I removed that the cert generated correctly and everything started working spot on.
Can’t thank you enough saved me hours of hunting and trying things.
1 Like