Server with more than 100 hosts but 1 IP num


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: laserlearning.org & laserlearning.net

I ran this command: SAN certs for all bindings of multiple iis sites

It produced this output: paraphrasing:limit of 100 hosts per cert exceeded

My web server is (include version): IIS v4

The operating system my web server runs on is (include version): MS Win Server 2016 Standard 10.0.

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

Since I have a single assigned IP-num, and since IP-num to cert must be one-to-one, and since a cert cannot have more than 100 hosts and since I have nearly 200 hosts on my server…
I must ask my hosting provider for more IP-nums.
Is that correct?
Is there another solution?

Thank you for your time, Russ


#2

Hi @Laser,

Since 2003, it hasn’t been technically necessary to have separate IP addresses in order to use distinct certificates for distinct domain names.

As a result, there are many servers and hosting environments that have literally tens of thousands of domain names hosted on a single IP address, because the client can indicate which name it wants before the server chooses which certificate and private key to use in response. The server can then pick an appropriate certificate for the client’s request.

Unfortunately SNI software support was rather slow in coming to some software.

I believe you’ll need to upgrade to IIS 8 (2012) for server-side SNI support, or else use an SNI-aware reverse proxy in front of your IIS instance to terminate the TLS connections. Or get more IP addresses.


#3

Hi @Laser

if you have Server 2016, your Webserver should support SNI, that came with Win 2012.

How do you organize your bindings?

Per binding, you can define a certificate.

So if you have one website, this website can have a lot of bindings:

  1. https + empty hostname + certificate with *.laserlearning.org and laserlearning.org
  2. https + hostname example.com + certificate www.example.com + example.com
  3. https + hostname www.example.com + the certificate (2)

Then repeat 2 / 3 for each of your domains, 200 times.

So you need only certificates with two hostnames www + non-www.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.