Windows server 2008R2 - IIS - 1 SAN 1 domain

I’m able to generate the certificate standard or SAN, they are correctly applied to the bindings, and everything works.
But when I create the SAN certificates (for 3 domains) and then I create the standard certificate for one site (all hosted by the same webserver, same IP), the standard certificate overrides the SAN certificate previously created. And it’s impossible to change them manually.
Better: the app letsencrypt.exe, correctly generates the two certificates, one SAN and one standard, but the second one is applied to the SAN site, so that calling the site I got the certificate error like: “The connection it’s not private. this certificate is not owned by this site (one of the SAN) but it’s owned by the other (the standard one)”. Even if I first create the standard and then the SAN, I got the same error.

How to create more than one certificates and apply them correctly the sites?

Without sufficient detail, one can only guess…

I would guess that the IIS bindings are incorrect.
Each site should have its’ own cert with corresponding binding.
Note: If multiple names will use the same site, you will need to get creative; as entering any hostname would cause problems with the other hostnames trying to access that same site:

Yes, but I’m using W2008R2, host name is disabled when selected type is https.

You are correct, SNI was introduced to IIS with version 8.0

You could try updating IIS version.
Not sure if that’s even possible without O/S upgrade, I can only find IIS 8.0 EXPRESS (not recommended)

OR (this is not a pretty solution)
You could introduce a reverse proxy on that same system; allowing you to run the individual sites on individualized IP:port combinations. (AKA FAKE SNI)

1 Like

So you’re telling me no way on IIS7.0 ? I think should be a solution without reverse proxy, otherwise no IIS version would have ever worked before 8.0.

Judge for yourself:

One IP:port requiring multiple separate domains = SNI.
SNI was introduced with IIS version 8.0.
Windows Server 2008R2 doesn’t support IIS 8.0.

And your conclusion is… ?

… upgrade to W2012R2 :expressionless:

Or throw in a reverse proxy…

Before SNI people really had to deal with a lot of complicated workarounds, including getting extra IP addresses, or getting very large SAN certs so that clients would find the name they were looking for somewhere in the certificate. The lack of the SNI mechanism was definitely a big factor obstructing deployment of HTTPS.

You are hitting one of the issues/limitations of the Letsencrypt Win Simple client. The ACME Sharp PS module should work for you in this case.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.