Join Log in
Score:0
Jimbot avatar Server

IIS 10 - Https with wildcard doesn't serve the good certificate (SNI)

cn flag
Jimbot

I have only two IIS Site :

  • subdomain.domain1.com
  • subdomain.domain2.com

And two certificates :

  • subdomain.domain1.com one standard
  • *.domain2.com one wildcard

For some strange reason, the site with the wildcard looks properly configured in both the console and netsh http show sslcert, but when I access the site on any browser, it fails with the error NET::ERR_CERT_COMMON_NAME_INVALID. When I check the certificate, it's indicate subdomain.domain1.com. The other site (subdomain.domain1.com) works perfectly and was created first.

result of netsh http show sslcert :

SSL Certificate bindings:
----------------------------

    IP:Port                      : subdomain.domain1.com:443
    Certificate Hash             : e36cffe0f7a817ca39dca65955a194d83671dd67
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled
    Disable HTTP2                : Not Set
    Disable QUIC                 : Not Set
    Disable TLS1.2               : Not Set
    Disable TLS1.3               : Not Set
    Disable OCSP Stapling        : Not Set
    Disable Legacy TLS Versions  : Not Set

    IP:Port                      : subdomain.domain2.com:443
    Certificate Hash             : 7c681697ebed1bd653bb08bcbec5cb719795eb64
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name :     : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled
    Disable HTTP2                : Not Set
    Disable QUIC                 : Not Set
    Disable TLS1.2               : Not Set
    Disable TLS1.3               : Not Set
    Disable OCSP Stapling        : Not Set
    Disable Legacy TLS Versions  : Not Set

I have no clue why this happened, the SNI checkbox is checked. I tried, without success to :

  • deleting, the binding and recreate it via PowerShell.
  • iisreset
  • rebooting the server

Any clue ? Thx

125
0 + 0
iis
sni
Lex Li avatar
vn flag
Lex Li
Your HTTP API certificate mappings seem to be correct. I would use a tool like Wireshark to capture the TLS handshake packets to see what exactly was the host name. It sounds to me the browser might be confused and send wrong host name.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.