I am clutching at straws… hope you can help me with this old server (which is not easily updated, I am afraid, but it isn’t used for any critical production stuff).
I want to bind domain1.com to ip 123.456.7.1 and domain2.com to 123.456.7.2, each with its own certificate. As longs as I configure it for http, there’s no issue. My bindings look like this:
type hostname port ip
site2 -> http domain1.com 80 123.456.7.1
site2 -> http domain2.com 80 123.456.7.2
But I want to bind a certificate to each site. I use the Certify-the-web installer to do this for me. I ticked the bind to specific IP option in Deployment. This results in:
type hostname port ip
site1 -> http domain1.com 80 123.456.7.1
https domain1.com 443 123.456.7.1
site2 -> http domain2.com 80 123.456.7.2
https domain2.com 443 123.456.7.2
Which works fine for domain1, but gives a wrong certificate warning for domain2 (according to Chrome and Firefox it uses the cert of domain1). It has the right certificate selected in both https bindings when I inspect them. I did restart each site in IIS.
What do I do wrong?
Hi,
On Windows you can only bind one certificate to one IP/port combination. On modern versions of Windows/IIS the SNI (Server Name Indication) feature can be used to select the correct certificate based on the hostname (domain) in the request. This has been available since Server 2012.
You may have seen If you create a ‘default ssl binding’ in IIS - IIS manage often prompts you to add one but you generally should not do this.
You can see which SSL binding the app will update in the Preview tab of each managed certificate. Ensure it will update the correct bindings.
You can review your actual bindings using the netsh command line tool
So for instance netsh http show sslcert ipport=123.456.7.2:443 - the certificate thumbprint shown should be different for the two IP addresses.
In general, we strongly recommend only using SNI bindings (the default created by Certify The Web) unless you have an advanced understanding of IP specific bindings. You should migrate your application to a modern version of windows at the earliest possible opportunity.
Thanks.
I am aware of the limitations of IIS7.5, but one IP-one domain is exactly what I am trying to do. That should be no problem. Multiple domains on one IP is a no-no, I know.
I turns out that the real culprit is GoDaddy, who didn’t update my ip settings, so both domains were targeting the same ip address. Took me a while to figure that one out. I didn’t update this post because I wanted to check if the setup would work with the proper ip settings.
So I changed them two days ago, and now the domain doesn’t resolve any more.
Le Sigh, I’ll get there in the end!
Great glad you got it figured out.
Just so I’m being clear, multiple domains can share an IP if you use SNI - the limitation is with your old version of windows which is also no longer supported by microsoft…