Multiple sites on one IIS Server using ACME


#1

I have a Win Server 2008 R2 server running IIS. I am using ACME with Let’s Encrypt to try and install multiple certificates on my server. I had the operations team add CAA records to the DNS to allow for letsencrypt.org as the main uwo.ca uses Thawte.

The first certificate installed fine to ssts.uwo.ca. I installed a few others before I noticed that things weren’t working correctly. To complicate things, I have an existing Thawte certificate for one of the sites which is sscsecure.uwo.ca with a SAN for sociology.uwo.ca. The Thawte certificate stopped working and I noticed that always, only the most recent site worked with the let’s encrypt certificate. When I investigated further, I noticed that if the last certificate I installed was for ssc.uwo.ca, then all the previous certificates that I installed were changed to the ssc.uwo.ca, instead of ssts.uwo.ca.

At this point, I have removed all the let’s encrypt certificates and got the sscsecure.uwo.ca cert working again (unfortunately, the SAN for sociology.uwo.ca is not working).

Is there a way to get this working for each site without overwriting the certificates for other sites?


#2

Hi @heathers

it’s not a certificate problem. It’s the problem that you need Server Name Indication (SNI), but Win 2008 doesn’t support SNI.

So if you have only one ip address, you can only use one certificate.

  • Add other ip addresses
  • update to Windows 2012 with SNI - support.
  • use only one certificate with all domain names. That may work, if your application can manage this.

#3

…or, you can also insert a windows proxy that can handle the SNI.
Like:
Apache for Windows
NGINX for Windows

NOTE: IIS8(+) supports SNI.