Score:0

IIS 10 2 domains with SSLs on same IP - SNI checked for both but 1 of them still doesnt work

br flag

Using fictional domains here instead of the actual ones I have this situation:

domain1.com has binding set up in IIS and is linked to SSL and has "Require Server Name Indication" checked.

domain2.com has binding in IIS and is linked to it's own SSL and has "Require Server Name Indication" checked.

Going to https://domain1.com in a browser works fine.

Going to https://domain2.com in a browser gives an error : NET::ERR_CERT_COMMON_NAME_INVALID "This server couldn't prove that it's domain2.com; its security certificate is from domain1.com."

I can't undertsnad it becasue SNI is definitely checked for both and they are the only 2 https bindings for that IP. I have tried restarted the site in IIS and recycling the AppPool but that makes no difference.

Score:0
vn flag

You need to use netsh or a tool like Jexus Manager to review what are the exact mappings stored in Windows HTTP API,

https://docs.jexusmanager.com/tutorials/https-binding.html#sni-based-bindings

IIS Manager does not show that detailed view.

Paul avatar
br flag
Thanks, I used "netsh http show sslcert" and saw that an SSL certificate was showing up twice, once against an ip address and once against the domain. Deleting the one based on the ip address using "netsh http delete sslcert ipport=1.2.3.4:443" fixed my problem.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.