IIS 8.5 Configuration for Android

Hey guy’s!

I’m trying many times to configure my IIS 8.5 properly. Every time I surf to www.magicalgirlsubs.de or www.jotoma.de the Android browser tell me that there is no certificate and I can install one to use it in future. When I start a SSL test about magicalgirlsubs.de with SSLLab all is insofar correct. But you know everytime I surf to he want to download a cert.

And now comes a weird thing: When I do a test about jotoma.de SSLLab show me 2 cert’s! The first one is jotoma.de and the second is opelflashlights.de! But opelflashlights.de isn’t set in the cert… WTF? I’ve done many actions to try to solve this but nothing worked. I deleted and readded the bindings, checked all certificates in the store, cleared the URL cache with the certutil etc.

When I surf with my Computer to the sites it’s all okay and work properly.

It would be very nice if someone could help me!

Best greetings,
Johnny

The second cert as shown by SSL Labs for https://www.ssllabs.com/ssltest/analyze.html?d=www.jotoma.de
Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI
is for connections without SNI (no server name in request) - like for direct IP connections.
That is quite harmless and could be ignored.

The only issue of concern (to me) on that site is:


You may want to check out https://www.whynopadlock.com/ for more on how to fix that issue.

I have updated your thread title for something more meaningful so experts in both areas can assist

I don’t believe your issues are with SSL certificates

I have browsed to your website in an android browser and the message I get is fairly specific. If I ignore it I can continue and your website is presented with a green lock. This is testing that would have been useful for you to have done and uploaded here (helps everyone).

Note: when doing your research ignore the lock (as this is specific to my phone) and focus on why the website may be trying to access my credentials store and what is kept in the credential store

As for your other issue. Lets avoid using statements like this. Computers aren’t out to get you and usually a methodical investigation will reveal the issue. If you don’t know how to investigate feel free to ask but I like working with people who avoid hyperbole.

opelflashlights.de isn’t set in the cert… WTF?

Review the functioning of SNI and specifically what the tests below mean. Your issue is a common one in IIS and is a fairly straightforward one to fix.

On a last note: you have set up the first site well (in my opinion) where HTTP redirects to HTTPS but haven’t done it for www.jotoma.de

Andrei

@ahaw021: Wow, how friendly… I wonder every time how people on the internet can read “real” (!) feelings out of texts. To call me hyperbolic because I used WTF once is hyperbolic. And maybe I was a bit pissed of the situation about my issue but it’s no matter to so condescending and unfriendly to me. What would you feel or say if I be like this to you? I think you would not appreciate it. For my whole time as a hobby webmaster and scripter I noticed that the scripting and coding communities are mostly very harsh and unfriendly. The mockup “sink or swim” doesn’t like many people and isn’t useful for everyone. If I would act like this to my friend’s or other people I wanna (!) help then I’m very lonely. And ya, maybe your help is for free but if you don’t wanna help someone then you should say nothing. I do it like this too instead maybe looking for a person that can I growl for my bad day. When I wanna help people than I’m friendly and patient.

And I don’t know why my site want to access any credentials stores.

The answer of @rg305 was more helpful for than your’s. (Thank’s for this @rg305! :slight_smile:)

Now you can caution or ban me for this (most reaction of Mods and Admins of communities) or you take it as a constructive feedback. :slight_smile: I wanna learn something but the method “sink or swim” doesn’t help me. And I don’t look for a person who solve the issue completely for me but rather to give me food for thought or some good hints. I know that SNI needs a separated site for NoSNI-Browser (IIS always told me that) but I’m not long in the SSL business and I didn’t know why one of my other URL’s or sites is in the check sheet of only one specific checked domain. Do you know what I mean?

A) If you do not specify a SNI then IIS will use whatever the first available binding is. If you review all your bindings you will find that you have a HTTPS binding with the cert in question (opelflashlights.de)

B) The easiest way to fix is to remove the binding and to require SNI on your actual binding there is a tickbox underneath SSL bindings that has server name indication. If you tick this box that should solve your SNI Problem

C) I suspect that your android issue is to do with the fact your website is trying to ask for client certificates.

Check this configuration: https://technet.microsoft.com/en-us/library/cc753983(v=ws.10).aspx. Unless you are using client certificates I usually select ignore. This is on a per site basis so you may want to compare the two sites first.

Andrei

1 Like

Really, so simply? Oh my… Sometimes we cannot see the wood for the trees. :slight_smile: I thought of this SSL client cert settings but I didn’t know that Android is so sensitive about that. Okay, this really fixed my issue. Thank’s a lot for this! :slight_smile:

And now I’m a bit more wiser. :wink:

and i will work on my bed side manner :wink:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.