Check, which client you can use.
Then create one certificate with four names, that requires dns-01-verification.
www.mydomain.com, mydomain.com, *.yourdomain.com, yourdomain.com
Perhaps with this certificate that may work.
Should I ask… Why?
Are you not an admin to the Windows Server?
At bare minimum as an admin you would need to be able to:
- Install software (NGINX or Apache)
- modify IIS bindings (change sites to unique ports)
If you can do more “administration”, it can be made “prettier”…
Like by modifying the HOSTS file and proxying to the exact same FQDN the client is connecting to.
By also using only port 443 - which requires adding one internal IP per site.
When you say dns-01-verification, does that entail using a third party service?
https://certifytheweb.com/home/news
see: Let’s Encrypt v2 API including wildcard domain support
It may support your DNS provider.
If not there are other ACME clients for Windows that may support your DNS provider.
IIS control only.
So no installing or modifying system config or anything else.
It also would not be an approved modification to use anything like nginx
Yes we've seen that, but it's still a beta and has been since April.
It also mentions having to use third party dns validation our DNS is simply the one provided via our isp
Then you will need multiple servers each with its’ own public IP to server multiple sites.
Until you get upgraded to Server 2012 (or higher).
That depends entirely on who your DNS provider is.
nslookup -q=ns your.domain
I edited my post to clarify that DNS comes via the ISP.
We don’t have a paid dns provider.
Nonetheless, if the ISP uses a DNS system that is covered by any ACME Windows client you can use DNS to validate your certificate requests and issue wildcard certs as well.
That said, you really don’t require DNS validation to get a SAN cert with all the names you need on it (as long as it contains 100 or less FQDNs) nor to complete your logically next step “test” = using a single SAN cert for all site bindings.
i have run this on one of the sub-domains pointing to that server
C:\Users\grays>nslookup -q-ns test.chenks.co.uk
Server: ctech-gla-dc01.ad.citytechnical.co.uk
Address: 10.232.111.21
Name: test.chenks.co.uk
Address: 10.232.16.61
There is a TYPO in your request, try:
nslookup -q=ns chenks.co.uk 8.8.8.8
and/or
nslookup -q=ns test.chenks.co.uk 8.8.8.8
Which both return DNS servers from 123-reg.co.uk
i get a different response when i run it here from inside the network.
C:\Users\grays>nslookup -q=ns test.chenks.co.uk
Server: ctech-gla-dc01.ad.citytechnical.co.uk
Address: 10.232.111.21
chenks.co.uk
primary name server = ctech-gla-dc01.ad.citytechnical.co.uk
responsible mail addr = hostmaster.ad.citytechnical.co.uk
serial = 3
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
but
C:\Users\grays>nslookup -q=ns chenks.co.uk 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
chenks.co.uk nameserver = ns2.123-reg.co.uk
chenks.co.uk nameserver = ns.123-reg.co.uk
123-reg are the domain registrar, they don’t do anything other than being the agent where we purchased the domain name.
That's because your are hitting an internal DNS server.
Try using an Global DNS server - like 8.8.8.8
nslookup -q=ns test.chenks.co.uk 8.8.8.8
They are ALSO providing DNS for your domain:
the networking side of things isn’t my forte.
well i guess as it stands, with the hardware/software i have available there isn’t going to be a way of achieving the desired end result?
It is much more about business decisions than it is about software.
A proxy would work or adding more IP addresses would work too. If you’re hogtied by not being allowed to do either of those things, your pretty much out of luck.
Maybe I’m missing something above but isn’t a multi-domain / SAN certificate still an unexplored option?
I know nothing about IIS but this seems to suggest it’s at least possible to use such a certificate with IIS 7…
I have two different domains though, you link is your 1 domain
It says:
If, on the other hand, your IIS 7 sites all use different domain names (mail.mydomain1.com, mail.mydomain2.com, etc.), you will need to get a Unified Communications Certificate (also called a SAN certificate).
You can find here: https://weblog.west-wind.com/posts/2016/Feb/22/Using-Lets-Encrypt-with-IIS-on-Windows.
But the structure is the same as in Linux. If you can not NAT your network correctly, you can not receive the certificate. You can specify your domain and if you do not stop your web server, you can not receive certificate too.
BR. Varbanovski