Win-Acme and Multipe Subdomains Conflicting

I have a dedicated Windows server 2012 R2 running IIS 8.5 with two main websites on it.

One is my main bellaonline.com site. It is accessed through various subdomains -
www.bellaonline.com
radio.bellaonline.com
lowcarb.bellaonline.com

and so on. All of those are bindings on one IIS entry.

Separately, I have the BellaOnline forums which are in a separate directory. This is accessed via -
forums.bellaonline.com
forum.bellaonline.com
f.bellaonline.com

Those are bindings in a separate IIS entry.

I have tried creating one certificate for one set and then another certificate for the other set. The entries keep mis-matching so that the forums give errors about being bound to the www certificate.

I tried creating individual certificates for every single entity separately. Those also give errors with the individual items like www suddenly being bound to a random other one like forums.

Ideally on the main bellaonline.com (the one with www.bellaonline.com) I’d like a wildcard because I have over 300 sites -

cruises.bellaonline.com
italianfood.bellaonline.com
quilting.bellaonline.com

and so on that should all be secure. But when I tried to set up all those bindings in IIS, win-acme choked and said I had too many. So I had to take those all out again.

For now I would just like to have both my site and the forums to be alive and secure without one or the other giving security warnings.

Help!

Lisa

Try using only one cert for all the names.

Thank you for the suggestion rg305 - that is actually the way it is set up right now. I made one and only one certificate and chose all six of those names. When I go in to the binding for

forum.bellaonline.com

the SSL certificate spot says right now:
3,2,10,9,8,11 2018/7/10 0:36:52 AM

So it is using that multi-entry certificate I created.

But when I go to

https://forum.bellaonline.com

It gives the error:

This server could not prove that it is forum.bellaonline.com; its security certificate is from www.bellaonline.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Neither site is showing a cert with multiple names.
They are both using the same cert.

The name of

3,2,10,9,8,11 2018/7/10 0:36:52 AM

was showing up as the name in the IIS interface, when I looked at the binding entry for the secure version of forum.bellaonline.com. I agree that looking from the browser interface, it would just say the forum.bellaonline.com was mismatched to the www.bellaonline.com entry.

To try to help troubleshoot I just went into mmc and installed the certificate plugin. Under web hosting / certificates I can now see the list of certificates. I changed the friendly name of the one which said:

3,2,10,9,8,11 2018/7/10 0:36:52 AM

To just say *.bellaonline.com

That didn’t help :).

But I do for some reason have multiple entries in here. Even though I cancelled and revoked everything before beginning again. Do they need to time out?

Can you see that?

I can see the list.
I would delete any that are not in use/needed.
Double click the *.bellaonline.com and verify if it has multiple names in the SAN.

There should be no need to revoke any certs.

OK I deleted the duplicate forums.bellaonline.com one so there is now just one of them.

When I go into IIS, I verify that forums.bellaonline.com in IIS (the binding) for the secure site is connected to the forums.bellaonline.com entry -

(new post for next image)

Have to wait 20 seconds to post …

I stopped and restarted the IIS server. But when I go to the URL it still gives the error that it’s the certificate for the www.bellaonline.com -

Please verify the SAN contents in that cert.
Unfortunately CRT.SH is having issues at this moment…
https://crt.sh/?q=bellaonline.com
image

OK do you mean this?

YES.
That looks right but it is not what is being served…
Try restarting IIS.

Much better now.

Aha I was restarting each site before but not the entire IIS system. I didn’t realize I needed to restart the entire IIS.

Also, once you showed me that the single certificate had all the various subdomains included in it, I deleted the other certificates so now I just have one. So maybe that helped too:

One or both of those made the difference.
Glad to have helped :slight_smile:

1 Like

Thank you so very much. I have another dedicated server where I have all my non-BellaOnline sites like

LisaShea.com
WineIntro.com

and so on and those were all conflicting with each other. So I will go do the same thing there, make one master certificate that has them all included. And that should do the trick there, too.

Thank you so much, I appreciate your help immensely! :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.