question

JeanMARTIN-4163 avatar image
0 Votes"
JeanMARTIN-4163 asked BruceZhang-MSFT commented

IIS 10 - Https site with wildcard certificate doesn't serve the good certificate (SNI)

I have only two IIS Site :

And two certificates :

For some strange reason, the site with the wildcard looks properly configured in both the console and netsh http show sslcert, but when I access the site on any browser, it fails with the error NET::ERR_CERT_COMMON_NAME_INVALID. When I check the certificate, it's indicate subdomain.domain1.com. The other site (subdomain.domain1.com) works perfectly and was created first.

result of netsh http show sslcert :

SSL Certificate bindings:
----------------------------

    IP:Port                      : subdomain.domain1.com:443
    Certificate Hash             : e36cffe0f7a817ca39dca65955a194d83671dd67
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled
    Disable HTTP2                : Not Set
    Disable QUIC                 : Not Set
    Disable TLS1.2               : Not Set
    Disable TLS1.3            : Not Set
    Disable OCSP Stapling        : Not Set
    Disable Legacy TLS Versions  : Not Set

    IP:Port                      : subdomain.domain2.com:443
    Certificate Hash             : 7c681697ebed1bd653bb08bcbec5cb719795eb64
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name :     : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled
    Disable HTTP2                : Not Set
    Disable QUIC                 : Not Set
    Disable TLS1.2               : Not Set
    Disable TLS1.3               : Not Set
    Disable OCSP Stapling        : Not Set
    Disable Legacy TLS Versions  : Not Set


I have no clue why this happened, the SNI checkbox is checked.
I tried, without success to :

  • deleting, the binding and recreate it via PowerShell.

  • iisreset

  • rebooting the server

Update : the bindings from applicationHost.config :

<sites>
    <site name="StrategicWebApiProdSO" id="2" serverAutoStart="true">
        <application path="/" applicationPool="StrategicWebApiProdSO">
            <virtualDirectory path="/" physicalPath="C:\inetpub\StrategicWebApiProdSO" />
        </application>
        <application path="/api" applicationPool="StrategicWebApiProdSO">
            <virtualDirectory path="/" physicalPath="C:\inetpub\StrategicWebApiProdSO\api" />
        </application>
        <bindings>
            <clear />
            <binding protocol="https" bindingInformation="*:443:subdomain.domain1.com" sslFlags="1" />
        </bindings>
        <applicationDefaults enabledProtocols="https" />
    </site>
    <site name="StrategicWebApiProdSI" id="3" serverAutoStart="true">
        <application path="/" applicationPool="StrategicWebApiProdSI">
            <virtualDirectory path="/" physicalPath="C:\inetpub\StrategicWebApiProdSI" />
        </application>
        <application path="/api" applicationPool="StrategicWebApiProdSI">
            <virtualDirectory path="/" physicalPath="C:\inetpub\StrategicWebApiProdSI\api" />
        </application>
        <bindings>
            <clear />
            <binding protocol="https" bindingInformation="*:443:subdomain.domain2.com" sslFlags="1" />
        </bindings>
        <applicationDefaults enabledProtocols="https" />
    </site>
    <siteDefaults>
        <logFile logFormat="W3C" directory="%SystemDrive%\inetpub\logs\LogFiles" />
        <traceFailedRequestsLogging directory="%SystemDrive%\inetpub\logs\FailedReqLogFiles" />
    </siteDefaults>
    <applicationDefaults applicationPool="DefaultAppPool" />
    <virtualDirectoryDefaults allowSubDirConfig="true" />
</sites>


Any clue ? Thx

windows-server-iis
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JeanMARTIN-4163 ,

Can you show the binding of the two sites in applicationhost.config file? Like this:
141518-1.jpg

The other site (subdomain.domain1.com) works perfectly and was created first.

What do you mean of was created first? Did you access domain1 first and then to domain2? If so, try to access domain2 directly in the privacy window of the browser.




0 Votes 0 ·
1.jpg (71.1 KiB)

Hi,

I have completed the question.

I mean it was created first, several month ago, the second domain with the wildcard is the one I am trying to add.

Thanks for your help,
Jean

0 Votes 0 ·

Hi @JeanMARTIN-4163 ,

Done !

Can I understand that the issue has been solved?



0 Votes 0 ·
Show more comments

0 Answers