Win-Acme and Multipe Subdomains Conflicting

lisashea · July 10, 2018, 4:20am

I have a dedicated Windows server 2012 R2 running IIS 8.5 with two main websites on it.

One is my main bellaonline.com site. It is accessed through various subdomains -
www.bellaonline.com
radio.bellaonline.com
lowcarb.bellaonline.com

and so on. All of those are bindings on one IIS entry.

Separately, I have the BellaOnline forums which are in a separate directory. This is accessed via -
forums.bellaonline.com
forum.bellaonline.com
f.bellaonline.com

Those are bindings in a separate IIS entry.

I have tried creating one certificate for one set and then another certificate for the other set. The entries keep mis-matching so that the forums give errors about being bound to the www certificate.

I tried creating individual certificates for every single entity separately. Those also give errors with the individual items like www suddenly being bound to a random other one like forums.

Ideally on the main bellaonline.com (the one with www.bellaonline.com) I’d like a wildcard because I have over 300 sites -

cruises.bellaonline.com
italianfood.bellaonline.com
quilting.bellaonline.com

and so on that should all be secure. But when I tried to set up all those bindings in IIS, win-acme choked and said I had too many. So I had to take those all out again.

For now I would just like to have both my site and the forums to be alive and secure without one or the other giving security warnings.

Help!

Lisa

rg305 · July 10, 2018, 4:36am

Try using only one cert for all the names.

lisashea · July 10, 2018, 4:47am

Thank you for the suggestion rg305 - that is actually the way it is set up right now. I made one and only one certificate and chose all six of those names. When I go in to the binding for

forum.bellaonline.com

the SSL certificate spot says right now:
3,2,10,9,8,11 2018/7/10 0:36:52 AM

So it is using that multi-entry certificate I created.

But when I go to

https://forum.bellaonline.com

It gives the error:

This server could not prove that it is forum.bellaonline.com; its security certificate is from www.bellaonline.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

rg305 · July 10, 2018, 4:53am

Neither site is showing a cert with multiple names.
They are both using the same cert.

lisashea · July 10, 2018, 4:58am

The name of

3,2,10,9,8,11 2018/7/10 0:36:52 AM

was showing up as the name in the IIS interface, when I looked at the binding entry for the secure version of forum.bellaonline.com. I agree that looking from the browser interface, it would just say the forum.bellaonline.com was mismatched to the www.bellaonline.com entry.

To try to help troubleshoot I just went into mmc and installed the certificate plugin. Under web hosting / certificates I can now see the list of certificates. I changed the friendly name of the one which said:

3,2,10,9,8,11 2018/7/10 0:36:52 AM

To just say *.bellaonline.com

That didn’t help :).

But I do for some reason have multiple entries in here. Even though I cancelled and revoked everything before beginning again. Do they need to time out?

Can you see that?

rg305 · July 10, 2018, 5:00am

I can see the list.
I would delete any that are not in use/needed.
Double click the *.bellaonline.com and verify if it has multiple names in the SAN.

There should be no need to revoke any certs.

lisashea · July 10, 2018, 5:08am

OK I deleted the duplicate forums.bellaonline.com one so there is now just one of them.

When I go into IIS, I verify that forums.bellaonline.com in IIS (the binding) for the secure site is connected to the forums.bellaonline.com entry -

(new post for next image)

lisashea · July 10, 2018, 5:08am

Have to wait 20 seconds to post …

lisashea · July 10, 2018, 5:09am

I stopped and restarted the IIS server. But when I go to the URL it still gives the error that it’s the certificate for the www.bellaonline.com -

rg305 · July 10, 2018, 5:10am

Please verify the SAN contents in that cert.
Unfortunately CRT.SH is having issues at this moment…
https://crt.sh/?q=bellaonline.com

lisashea · July 10, 2018, 5:13am

OK do you mean this?

rg305 · July 10, 2018, 5:14am

YES.
That looks right but it is not what is being served…
Try restarting IIS.

Much better now.

lisashea · July 10, 2018, 5:20am

Aha I was restarting each site before but not the entire IIS system. I didn’t realize I needed to restart the entire IIS.

Also, once you showed me that the single certificate had all the various subdomains included in it, I deleted the other certificates so now I just have one. So maybe that helped too:

rg305 · July 10, 2018, 5:21am

One or both of those made the difference.
Glad to have helped

lisashea · July 10, 2018, 5:22am

Thank you so very much. I have another dedicated server where I have all my non-BellaOnline sites like

LisaShea.com
WineIntro.com

and so on and those were all conflicting with each other. So I will go do the same thing there, make one master certificate that has them all included. And that should do the trick there, too.

Thank you so much, I appreciate your help immensely!

system · August 9, 2018, 5:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Over 400 Subdomains - Wildcard or Multiple Certificates? Help	13	2405	December 29, 2019
Windows Server IIS Bindings Using Wrong Certificates Server	5	3564	April 28, 2017
Configuring IIS8 sites with a single binding certificate each Server	9	3474	May 16, 2019
Let's Encrypt windows clients with IIS cannot handle multiple websites? Server	4	1855	February 9, 2017
Domain showing wrong certificate Help	24	3731	June 16, 2019

Win-Acme and Multipe Subdomains Conflicting

Related topics