Win-Acme and Multipe Subdomains Conflicting


#1

I have a dedicated Windows server 2012 R2 running IIS 8.5 with two main websites on it.

One is my main bellaonline.com site. It is accessed through various subdomains -
www.bellaonline.com
radio.bellaonline.com
lowcarb.bellaonline.com

and so on. All of those are bindings on one IIS entry.

Separately, I have the BellaOnline forums which are in a separate directory. This is accessed via -
forums.bellaonline.com
forum.bellaonline.com
f.bellaonline.com

Those are bindings in a separate IIS entry.

I have tried creating one certificate for one set and then another certificate for the other set. The entries keep mis-matching so that the forums give errors about being bound to the www certificate.

I tried creating individual certificates for every single entity separately. Those also give errors with the individual items like www suddenly being bound to a random other one like forums.

Ideally on the main bellaonline.com (the one with www.bellaonline.com) I’d like a wildcard because I have over 300 sites -

cruises.bellaonline.com
italianfood.bellaonline.com
quilting.bellaonline.com

and so on that should all be secure. But when I tried to set up all those bindings in IIS, win-acme choked and said I had too many. So I had to take those all out again.

For now I would just like to have both my site and the forums to be alive and secure without one or the other giving security warnings.

Help!

Lisa


#2

Try using only one cert for all the names.


#3

Thank you for the suggestion rg305 - that is actually the way it is set up right now. I made one and only one certificate and chose all six of those names. When I go in to the binding for

forum.bellaonline.com

the SSL certificate spot says right now:
3,2,10,9,8,11 2018/7/10 0:36:52 AM

So it is using that multi-entry certificate I created.

But when I go to

https://forum.bellaonline.com

It gives the error:

This server could not prove that it is forum.bellaonline.com; its security certificate is from www.bellaonline.com. This may be caused by a misconfiguration or an attacker intercepting your connection.


#4

Neither site is showing a cert with multiple names.
They are both using the same cert.


#5

The name of

3,2,10,9,8,11 2018/7/10 0:36:52 AM

was showing up as the name in the IIS interface, when I looked at the binding entry for the secure version of forum.bellaonline.com. I agree that looking from the browser interface, it would just say the forum.bellaonline.com was mismatched to the www.bellaonline.com entry.

To try to help troubleshoot I just went into mmc and installed the certificate plugin. Under web hosting / certificates I can now see the list of certificates. I changed the friendly name of the one which said:

3,2,10,9,8,11 2018/7/10 0:36:52 AM

To just say *.bellaonline.com

That didn’t help :).

But I do for some reason have multiple entries in here. Even though I cancelled and revoked everything before beginning again. Do they need to time out?

Can you see that?


#6

I can see the list.
I would delete any that are not in use/needed.
Double click the *.bellaonline.com and verify if it has multiple names in the SAN.

There should be no need to revoke any certs.


#7

OK I deleted the duplicate forums.bellaonline.com one so there is now just one of them.

When I go into IIS, I verify that forums.bellaonline.com in IIS (the binding) for the secure site is connected to the forums.bellaonline.com entry -

(new post for next image)


#8

Have to wait 20 seconds to post …


#9

I stopped and restarted the IIS server. But when I go to the URL it still gives the error that it’s the certificate for the www.bellaonline.com -


#10

Please verify the SAN contents in that cert.
Unfortunately CRT.SH is having issues at this moment…
https://crt.sh/?q=bellaonline.com
image


#11

OK do you mean this?


#12

YES.
That looks right but it is not what is being served…
Try restarting IIS.

Much better now.


#13

Aha I was restarting each site before but not the entire IIS system. I didn’t realize I needed to restart the entire IIS.

Also, once you showed me that the single certificate had all the various subdomains included in it, I deleted the other certificates so now I just have one. So maybe that helped too:


#14

One or both of those made the difference.
Glad to have helped :slight_smile:


#15

Thank you so very much. I have another dedicated server where I have all my non-BellaOnline sites like

LisaShea.com
WineIntro.com

and so on and those were all conflicting with each other. So I will go do the same thing there, make one master certificate that has them all included. And that should do the trick there, too.

Thank you so much, I appreciate your help immensely! :slight_smile:


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.