Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: test.sigi.ht and cloud.sigi.ht
I ran this command:wacs and in the menu, I chose Run Renewals
It produced this output:
My web server is (include version): IIS
The operating system my web server runs on is (include version): Windows Server 2016 Standard
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
But, the url test.sigi.ht and cloud.sigi.ht are still NOT SECURE
The domains are currently serving certificates for mesi.ht, do you operate mesi.ht?
2 Likes
yes, but it has its own certificate
I have 2 ssl certificates on this server: one for mesi.ht and one (lets encrypt) for test.sigi.ht and cloud.sigi.ht.
both were working fine until I had to renew the Lets Encrypt ssl certificates
A common mistake on IIS is to create an HTTPS binding that isn't using SNI (Server Name Indication) or is bound to a specific IP address, and that's likely what's happened with your mesi.ht globalsign certificate, which was probably set up manually.
An IP address + port combination can only have one cert assigned, and if an IP specific or non-SNI binding exists then that assignment takes precedence over any others that might be sharing the same IP/port.
To work around this SNI was invented (available in Windows Server 2012 onwards) which uses the hostname to decide how to match requests to the right certificate.
Edit the https binding for the mesi.ht IIS site(s) and ensure that the hostname is set in the binding, the IP is set to All Unassigned, and SNI is checked. You may need multiple https bindings to match all the hostnames that service is expected to serve.
5 Likes