Server OS: Windows 2012 R2
Certify 4.1.8.0
Disclaimer: I was on a previous version of Certify before this popped up, but am not sure which version.
When I renew a certificate, it forces SNI to be enabled on both the wildcard binding as well as the declared hostname binding by editing the applicationhost.config file to set the sslFlags to 1 instead of leaving it at 0.
<bindings>
<binding protocol="http" bindingInformation="*:80:*" />
<binding protocol="https" bindingInformation="*:443:*" sslFlags="1" />
<binding protocol="https" bindingInformation="*:443:nms.REDACTED.co.uk" sslFlags="1" />
</bindings>
I have to have the named binding due to URL rewrite rules, but SNI is not required (I donāt care if it is on either), but turning it on for the wildcard breaks IIS.
In troubleshooting this, I have hit the weekly limit for LE, so further troubleshooting will take a bit of time, I wish there was a setting to enable using the LE staging environment when doing testing.
The settings for the certificate are as follows:
Certificate Domains:
Select Website: No IIS website selected
Certificate Deployment:
Deployment Mode: Auto
Under preview, it shows the following:
Deploying to all matching sites:
Action | Site | Binding |
---|---|---|
Update https binding | WUG | :443: SNI |
Update https binding | WUG | * :443:nms.REDACTED.co.uk SNI |
I hope this makes sense, and Iām just not doing something stupidā¦