Configuring IIS8 sites with a single binding certificate each

I have two sites in a Windows Server 2012 R2 running IIS8, let’s say mydomain1.com and mydomain2.com, both sites connect to the same DB. For this configuration to work, I have to use the same Site Binding configuration for port 80 in both sites, except for the hostname value (mydomain1.com and mydomain2.com).

The sites have been running smoothly, but now I have to add SSL. As suggested in another post, I have created two single binding certificates using Let’s Encrypt (win-acme v2), let’s say Certificate1 for mydomain1.com and Certificate2 for mydomain2.com. The problem is that, when I finish to setup Certificate2, the Site1 tries to use the Certificate2. So, I go the Edit Site Binding window for Site1 and select the Certificate1, I got this warning…

55%20PM

If I press Yes, the Site2 stops working because it tries to use the Certificate1, and if I press No, I can’t continue. Am I doing something wrong? Maybe there’s a better way to achieve this?

1 Like

Hi @rodsarria

please share a screenshot of your site bindings.

PS: You must do something wrong.

It’s possible to have a lot of different domains with different certificates on one IIS (Windows 2012 R2).

The error happens only if you use the identical definition two times. That can’t work.

For security and privacy reasons, I can’t share the full values of the private IP address of the server and the host name, so I will hide it partially in the screenshots.

These are the Site Bindings for both sites:

When I click OK in the last screenshot is when I get the warning message in the previous post.

There you see the problem.

You must use SNI - Server Name Indication if you have more then one certificate with the same ip address.

Without SNI the hostname doesn’t produce a difference -> the definitions are overlapping.

Your domain is worldwide visible. Hiding such informations has nothing to do with protecting your site. But it makes it harder or impossible to find solutions.

Read

Or simple:

"security through obscurity is an illusion"

Thanks! That did the job.

Going into detail, is this the best way to approach this problem? Or maybe, since both sites are related, creating one certificate for multiple sites is better?

That's possible.

You can create certificates with max. 100 different domain names.

www + non-www of one domain.

Or www + non-www + other subdomains of more then one domain.

But I don't know if the ACME-client you use supports such certificates (it's more a question of installation).

I imagined that, but thanks for the reading. It was more a privacy concern because the sites aren't fully launched yet and my client is very strict about confidentiality.

Great! I’ll test it in my next project. Thank you very much!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.