Multiple domains on IIS 7.5


#1

Hi guys, i’m after some advice and what route i need to go down.

we have 2 domain names pointed to a Windows 2008 R2 IIS server (server is our own and hosted internally).
i have admin access to the server to make IIS config changes etc.

the server has a single public IP address.
both domains are currently in HTTP mode only (ie no HTTPS), with IP binding set to “all assigned”.

we are wanting to get both on HTTPS via Lets Encrpyt is possible.

domain 1 is a single site with hostname bindings of www.mydomain.com and mydomain.com
domain 2 has multiple sites via sub-domains (site1.yourdomain.com, site2.yourdomain.com, site3.yourdomain.com)

so in total IIS would have around 5-10 “sites” set up across the two domain names.

so i guess the first question is, is it possible to use Lets Encrypt for this?
i believe we would need to go down the SAN or UCC certificate route? is that the correct assumption?

i have also read that it’s possible to use wildcard certificates, but you need to use a DNS service for that to work?

so i’m basically looking to be pointed in the right direction to get the best solution.

on a test server i was able to successfully use “Certify The Web” tool for a single domain setup in IIS.
whether that would also work for the mutiple domain server i am not sure.


#2

Definitely, yes.

You could do it in many ways:
One cert per name, once cert with all names, several certs with several names on each, etc.

You need to first understand your environment and its limitations: SNI requires IIS 8 (or greater).
So your biggest obstacle in serving multiple sites using IIS 7.5 is the lack of SNI support.


#3

ok well we’re kinda stuck on IIS 7.5 for the time being, so i’m guessing that will restrict the options.
i am pushing on moving to server 2012 or 2016 but that won’t be for some time.

my thoughts are that the preferrable option for now would be one cert with all names - simply because it will be easier to maintain (i’m assuming). but i’m willing to be advised by the more knowledgeable.


#4

With IIS 7.5 your best chance for simulating SNI, is to use multiple IPs.
Do you have more than one external IP (Internet)?


#5

That does avoid the need for SNI support and it is supported by Let’s Encrypt. The biggest problem is simply that it’s inconvenient if you have to make very frequent changes to the certificate, because you’ll potentially have to revalidate all of the covered domain names and you can more easily hit the Certificates Per Registered Domain limit in this situation.

A handful of people also don’t like the idea that the certificate directly shows which sites are served by the same infrastructure (although it’s not as though this information would otherwise be strictly secret, or as though many users routinely look at this information).

Let’s Encrypt will allow you to cover up to 100 names on a single SNI certificate.


#6

unfortunately we only have a single external IP address for the server.

in terms of whether it would be One cert per name, once cert with all names, several certs with several names on each, etc. i am open to being advised on the best solution for the situation we are in (providing the renewal of the certs can be automatic rather than a manual user process).


#7

I would think one cert with all names is the only reasonable approach in this case, unless you change your software environment.

I’m not very familiar with the Windows clients and I’m not sure exactly how they handle automatic renewal, although I know that many Windows users have it working properly.


#8

i have very basic knowledge of the “Certify The Web” windows clients, but that was for a single site scenario. it worked well, but i am not sure if that can handle the scenario in this situation.


#9

With only one external IP, you will not be able to use the IIS (7.5) server for SNI.
Regardless of how many certs you decide to get.
The only possible interim alternative would be to use a proxy between the Internet and your IIS server.
As it would be able to do SNI and terminate the inbound SSL connections and even obtain/maintain the certificates for all your sites.
I would recommend NGINX on Ubuntu - but there are many other choices/combinations.
Of course once you have upgraded to Server 2012(or higher) you could remove the inline proxy.


#10

Hi @chenks

you should test it. I had used Win 2008, but only with one domain and one certificate. Win 2012 adds a “SNI-Support-checkbox”. But I think, that Win 2008 has an option to define more then one binding of a website with different hostnames.

So you should test if you can add a certificate per binding. This is not SNI, but perhaps IIS uses the binding-information to find the correct website, binding and certificate.

Your configuration

Website wwww.mydomain.com with one certificate with two names and two bindings.
Website yourdomain.com with one wildcard-certificate *.yourdomain.com (dns-01 as challenge required)


#11

unforuntately that’s not going to be a possible option for us.
we are restricted to the current hardware/software that we have.


#12

i’m not sure how the bindings would work in your explanation.
you can’t set more than 1 site in IIS with SSL port on the same IP address


#13

IIS 7.5 will not support SNI.
The only “work-around” is to bind individual sites to individual IPs (one site per IP).
With IIS 8 and greater you can bind multiple sites to a single IP (SNI).
see: https://en.wikipedia.org/wiki/Internet_Information_Services


#14

I didn’t test it. But there is the host name field. Here

is a picture with a https binding and a special hostname. And a certificate.

Another binding with another hostname and another certificate?

The curious thing in Win 2012 is, that it is possible to create such a list of different bindings and hosts - without checking the “SNI required” - field, which is new in Win 2012.

So this is not SNI. But if the newer browser sends the hostname, the old IIS may select the correct binding (every binding must be unique) and the correct certificate.

PS: With Win 2008, I used only a website without a host name field and one global binding. So I didn’t checked all these options.


#15

looks like i’m going to have to push for migrating to Windows Server 2012 R2 then.
as there doesn’t appear to be a way to do this solely with IIS and a single external IP address.


#16

that’s a single site binding though, and that’s something we know we can already do.
my issue is multiple sites on a single external IP address.


#17

You can also run NGINX (or Apache) on same Windows Server - as a proxy.
And forward all incoming connections to the Proxy (which uses SNI) and have it connect to IIS via multiple internal sites each on a unique internal IP.

  • no extra hardware.
  • extra software is “free”

#18

Sorry should say have explained it’s 100% IIS.
No additional proxies or anything sitting in front of IIS


#19

Yes, that is how you have it today.
What I’m proposing is to insert a proxy between the Internet/firewall and the IIS server.
And run that proxy software on the same server that IIS runs on.

setup:
client > Internet > [firewall] > IIS
becomes:
client > Internet > [firewall] > proxy > IIS


#20

Yes I understand, but that solution is not going to be an option