Domain showing wrong certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jdcouncelling.co.uk

I ran this command:create certficate

It produced this output:

My web server is (include version):IIs 8

The operating system my web server runs on is (include version):Windows server r12

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

The certificate for the above domain shows another domain ion the same server. Not sure how this happened, but I need to remove this link and generate it’s own certificate.

Many thanks
Pete

Hi @pzh20

is this your domain? Or is it a typo?

There is no A- or AAAA-record defined ( https://check-your-website.server-daten.de/?q=jdcouncelling.co.uk ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
jdcouncelling.co.uk Name Error yes 1 0
www.jdcouncelling.co.uk Name Error yes 1 0

So it's impossible to check your domain and see the certificate.

www.jdcounselling.co.uk, sorry.

There is the wrong certificate installed ( https://check-your-website.server-daten.de/?q=jdcounselling.co.uk ):

CN=www.dwcpcommunity.org.uk
	15.04.2019
	14.07.2019
expires in 68 days	www.dwcpcommunity.org.uk - 1 entry

So both connections are insecure.

How did you create that certificate?

Open your IIS-Managementconsole, then check your bindings.

Perhaps share a screenshot.

IIS8 supports SNI, so you can create different websites with different certificates. And one website with different bindings, different domain names and different certificates.

I created the certificates running the C:\LetsEncrypt\letsencrypt.exe command. I think I created the dwcp certificate then the jdcounselling site one after another.

Thanks. That looks ok.

Show one detail of the second domain, https binding. Perhaps you didn’t checked the SNI-box. That’s required if you have more then one certificate.

SNI is ticked on both domains on the IIS bindings.

Pete

Then you have selected the wrong certificate.

I use one productive website with a lot of different bindings, different certificates and different domain names (own and customer-domains). Plus test-websites.

Juergen,

Shall I remove it from the Server Certificates list and then recreate a certificate?

REgards
Pete

I tried removing the certificate and adding a new one, but it ends up exactly the same. Maybe I have to remove the certificates for both domains and re generating them.

Pete

Share a screenshot of your binding-details.

There must be something wrong.

Seems ok, but still picking up the wrong certificate.

Regards
Pete52

So it turns out that all sites on my server are picking up the same certificate. Somehow it is like a default.

Regards
Pete

I don't undertstand it.

Is the certificate correct? Check "View".

You have two websites, I have one website with a lot of different host names, a wildcard (*.server-daten.de without a host name (that's the standard port 443) and a lot of different domain names (own productive domains, domains of customers).

Wait: Somewhere I've read it is possible to remove the SNI-support in Windows 2012. Perhaps you have disabled SNI-support.

Then all https connections would use the same certificate. But you must search to find that.

PS: Check

https://blogs.msdn.microsoft.com/kaushal/2012/09/04/server-name-indication-sni-with-iis-8-windows-server-2012/

As you can see from the screenshot, SNI is enabled (it’s the default on IIS8)

Here’s the View

Oh: Is this the problem?

Your first domain uses explicit ip addresses.

Your other domain has “All Unassigned”.

I’m using no ip address, never had problems.

Perhaps that blocks. Remove the ip addresses from the binding definitions of your first domain, so every ip address is used.

I have changed them, but it makes no difference. Maybe I need to remove all certificates and re add them.
I cannot see how one domain picks up another’s certificate via the LetsEncrypt script.

Regards
Pete

I’m really stuck with this and cannot see a way forward. Does anyone know if I can just start afresh with all domains that need certificates?

regards
Pete

OK, I have it picking up the right certificate now, but it still says Not Secure when I go to the site via google.

Regards
Pete