1,745 questions
IIS 10 - Https site with wildcard certificate doesn't serve the good certificate (SNI)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 86%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Jean MARTIN
1
Reputation point
I have only two IIS Site :
- subdomain.domain1.com
- subdomain.domain2.com
And two certificates :
- subdomain.domain1.com one standard
- *.domain2.com one wildcard
For some strange reason, the site with the wildcard looks properly configured in both the console and netsh http show sslcert, but when I access the site on any browser, it fails with the error NET::ERR_CERT_COMMON_NAME_INVALID. When I check the certificate, it's indicate subdomain.domain1.com. The other site (subdomain.domain1.com) works perfectly and was created first.
result of netsh http show sslcert :
SSL Certificate bindings:
----------------------------
IP:Port : subdomain.domain1.com:443
Certificate Hash : e36cffe0f7a817ca39dca65955a194d83671dd67
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Disable HTTP2 : Not Set
Disable QUIC : Not Set
Disable TLS1.2 : Not Set
Disable TLS1.3 : Not Set
Disable OCSP Stapling : Not Set
Disable Legacy TLS Versions : Not Set
IP:Port : subdomain.domain2.com:443
Certificate Hash : 7c681697ebed1bd653bb08bcbec5cb719795eb64
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
Disable HTTP2 : Not Set
Disable QUIC : Not Set
Disable TLS1.2 : Not Set
Disable TLS1.3 : Not Set
Disable OCSP Stapling : Not Set
Disable Legacy TLS Versions : Not Set
I have no clue why this happened, the SNI checkbox is checked.
I tried, without success to :
- deleting, the binding and recreate it via PowerShell.
-
iisreset - rebooting the server
Update : the bindings from applicationHost.config :
<sites>
<site name="StrategicWebApiProdSO" id="2" serverAutoStart="true">
<application path="/" applicationPool="StrategicWebApiProdSO">
<virtualDirectory path="/" physicalPath="C:\inetpub\StrategicWebApiProdSO" />
</application>
<application path="/api" applicationPool="StrategicWebApiProdSO">
<virtualDirectory path="/" physicalPath="C:\inetpub\StrategicWebApiProdSO\api" />
</application>
<bindings>
<clear />
<binding protocol="https" bindingInformation="*:443:subdomain.domain1.com" sslFlags="1" />
</bindings>
<applicationDefaults enabledProtocols="https" />
</site>
<site name="StrategicWebApiProdSI" id="3" serverAutoStart="true">
<application path="/" applicationPool="StrategicWebApiProdSI">
<virtualDirectory path="/" physicalPath="C:\inetpub\StrategicWebApiProdSI" />
</application>
<application path="/api" applicationPool="StrategicWebApiProdSI">
<virtualDirectory path="/" physicalPath="C:\inetpub\StrategicWebApiProdSI\api" />
</application>
<bindings>
<clear />
<binding protocol="https" bindingInformation="*:443:subdomain.domain2.com" sslFlags="1" />
</bindings>
<applicationDefaults enabledProtocols="https" />
</site>
<siteDefaults>
<logFile logFormat="W3C" directory="%SystemDrive%\inetpub\logs\LogFiles" />
<traceFailedRequestsLogging directory="%SystemDrive%\inetpub\logs\FailedReqLogFiles" />
</siteDefaults>
<applicationDefaults applicationPool="DefaultAppPool" />
<virtualDirectoryDefaults allowSubDirConfig="true" />
</sites>
Any clue ? Thx
Windows development Internet Information Services
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 82%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
Bruce Zhang-MSFT 3,771 Reputation points2021-10-19T02:05:04.093+00:00 Hi @Jean MARTIN ,
Can you show the binding of the two sites in applicationhost.config file? Like this:
The other site (subdomain.domain1.com) works perfectly and was created first.
What do you mean of was created first? Did you access domain1 first and then to domain2? If so, try to access domain2 directly in the privacy window of the browser.
-
Jean MARTIN 1 Reputation point
2021-10-19T06:06:22.37+00:00 Hi,
I have completed the question.
I mean it was created first, several month ago, the second domain with the wildcard is the one I am trying to add.
Thanks for your help,
Jean -
Bruce Zhang-MSFT 3,771 Reputation points
2021-10-20T01:16:52.98+00:00 -
Jean MARTIN 1 Reputation point
2021-10-20T07:15:46.513+00:00 I mean, I have completed the question.
-
Bruce Zhang-MSFT 3,771 Reputation points
2021-10-21T02:49:56.127+00:00 Hi @Jean MARTIN ,
Sorry that I didn't see the update.
I checked the applicationhost.config file and there is no problem. I think there are some points need you to confirm.
- Check the url rewrite rule. Maybe some rewrite rules redirect the request to subdomain1.
- Sommetimes even all configurations are correct, you may still see this error. You need to clear SSL state. Browsers might cache SSL certificates to speed up loading times.
- Check your browser and system to see if it use any proxy setting or VPN map the domain to wrong IP or port.
Sign in to comment
Sign in to answer