Client certificates are something very different. It’s like the other way around: users can authenticate themselves by means of a client certificate. This is most likely not something you’re using, so leave those settings as they are.
Addressing the top part of that pic: The “Require SSL” checkbox.
That means only HTTPS traffic should be accepted.
IMO it should be on - but only after you ensure everything is working via HTTPS.
edit: IIS doesn’t do what is expected - do not recommend using this checkbox
No, that's a terrible option with a wrong description.
That blocks http.
Result: If a user types the domain name (without the protocol), the browser selects http -> http status 403.
So a working http + https and a redirect isn't possible.
And it's not possible to renew the certificate because http doesn't work.
See that local check (local.server-daten.de
isn't defined global, works only via hosts with my local machine):
That's the standard setup - http works regular, /.well-known/acme-challenge would work:
D:\temp>download http://local.server-daten.de/ -h
SystemDefault
Accept-Ranges: bytes
Content-Length: 18477
Content-Type: text/html
Date: Thu, 10 Sep 2020 16:17:37 GMT
ETag: "b8bd72af177d61:0"
Last-Modified: Fri, 21 Aug 2020 19:27:54 GMT
Server: Microsoft-IIS/10.0Status: 200 OK
462,74 milliseconds
0,46 seconds
Used the checkbox:
D:\temp>download http://local.server-daten.de/ -h
SystemDefault
Error (1): Der Remoteserver hat einen Fehler zurückgegeben: (403) Unzulässig.
ProtocolError
Content-Length: 5131
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Thu, 10 Sep 2020 16:18:36 GMT
Server: Microsoft-IIS/10.0Status: 403 Forbidden
40380,63 milliseconds
0,08 seconds
So the IIS blocks the request directly. It's impossible to renew the certificate via http validation. But it's not a "normal 403", it's a 403 because of that checked SSL option.
No it requires HTTP to switch to HTTPS.
[I believe It will still respond to HTTP request for that purpose]
See the output: With a 403 - Forbidden. You can't add a redirect.
Well then I retract the statement and the advice to use it.
I stand corrected (IIS is lame!)
LOL
Long times earlier I had the same idea. Must be a good option.
But it doesn’t work. Standard http and defined redirects are better, users and search engines are happy.
I can't retract my like to your erroneous post!
Then you need to learn “how to” click the heart when it is full not just when it is empty
Damn, many Problem solved, and I was pretty Happy of the result, but now the next problem came, I wasn’t able to Start my SQL Server anymore. The Workaround was to Delete the Certificate from the Registry of the SQL Server like here:
But now what I should need to do ? It’s not working with the Certificate which I have created… Any Ideas ?
You want SQL advice here to supersede/correct advice found on blog.SQLAuthority.com (simply because a cert is involved)?
That sounds counterintuitive to me but you are free to ask.
[seems way off topic to me and I doubt anyone here is more proficient with SQL cert problems]
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.