SNI bindings not working (Server 2016)


#1

I am testing the Certify The Web software (latest version) on one of our Server 2016 instances. I have gone in and selected the site and opened advanced options. I selected the IP for the binding, entered the port number, and made sure the SNI box was checked. The pop up box warning was agreed with and the SSL is successfully generated and bound EXCEPT the SNI box in the binding is not checked. This keeps us from using this software since all of our SSL site use SNI (we will not be changing that).

SNI

What are we missing or is this a bug?


#2

Hi, the selection of ‘SNI’ combined with a specific IP address is not normally a valid combination.

On windows you can either bind a certificate on port 443 to ‘All Unassigned IPs’ with SNI (in which case the host header used in https requests will be used to match which site/certificate to use).

If you specify a particular IP address this overrides everything else and takes priority over any other binding that might occur through the same IP address (your other SNI bindings).

Assuming you have host headers set in your IIS http bindings you should choose the ‘Auto create/update’ binding setting (which is All Unassigned + SNI)

I wrote an article on this topic recently as it’s a common misconfiguration: https://medium.com/@webprofusion/troubleshoot-windows-ssl-https-1fa5bcb8ab90

Windows Server version pre 2012 didn’t have the SNI option so it’s quite common that people still try to configure certificates with specific IPs (which then takes out all their other sites).


#3

You do however have the option of setting up the binding manually by requesting your certificate Deployment to be Certificate Store only, then once you have a certificate configure your https binding however you like and point it to the new certificate.

Subsequent certificate renewals will match on hostname (or whatever criteria you have checked in Deployment) and keep your binding settings.


#4

Ok. Well it may not be the “recommended” configuration but it is how we need to have ours set up.

Here is the important question then:

If we set it up manually as you suggested and go in and check the SNI box in the binding, will the SNI box stay checked on the binding during the automated renewal of the SSL?

Doing it manually for the initial setup isn’t a big deal but if your software removes the check during renewal then it would not be usable for us.

Thanks


#5

@bcassetty as indicated in the UI, the binding config is only used when creating an https binding, not when updating, so existing bindings are updated with the certificate and keep whatever settings they have. The Preview tab is your friend here and will tell you exactly which bindings will be updated when the next request/renewal happens (see bottom of the page for bindings summary).