Server OS: Windows 2012 R2
Disclaimer: I was on a previous version of Certify before this popped up, but am not sure which version.
When I renew a certificate, it forces SNI to be enabled on both the wildcard binding as well as the declared hostname binding by editing the applicationhost.config file to set the sslFlags to 1 instead of leaving it at 0.
<bindings> <binding protocol="http" bindingInformation="*:80:*" /> <binding protocol="https" bindingInformation="*:443:*" sslFlags="1" /> <binding protocol="https" bindingInformation="*:443:nms.REDACTED.co.uk" sslFlags="1" /> </bindings>
I have to have the named binding due to URL rewrite rules, but SNI is not required (I don’t care if it is on either), but turning it on for the wildcard breaks IIS.
In troubleshooting this, I have hit the weekly limit for LE, so further troubleshooting will take a bit of time, I wish there was a setting to enable using the LE staging environment when doing testing.
The settings for the certificate are as follows:
Select Website: No IIS website selected
Deployment Mode: Auto
Under preview, it shows the following:
Deploying to all matching sites:
|Update https binding||WUG||:443: SNI|
|Update https binding||WUG||* :443:nms.REDACTED.co.uk SNI|
I hope this makes sense, and I’m just not doing something stupid…