Your connection is not private: Cert/site name issue


#1

I’d like to first point out that I’m new to SSL certs in every way. Here’s my setup:

Server A (Server 2008 R2, IIS v7.5)

I used LetsEncrypt-win-simple v1.9.3 to generate/install an SSL cert for my site: tango.adambohil.com. Everything went smoothly and I was able to access https://tango.adambohil.com without any issues (site has since been taken down). I then decided to experiment with a couple sites on an SNI-compatible version of IIS and spun up the VM below.

Server B (Server 2012 R2, IIS v8.5)

I created two sites on this server -- alpha.adambohil.com and bravo.adambohil.com. I was able to reach the non-secure/http versions of each of these sites. I then used Win-Acme v1.9.10 (formerly LetsEncrypt-Win-Simple) to generate/install certs.

However, when I try to visit the secure/https sites, I get the following errors:

  • IE: This site is not secure. This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately. The hostname in the website’s security certificate differs from the website you are trying to visit. Error Code: DLG_FLAGS_SEC_CERT_CN_INVALID
  • Firefox: Your connection is not secure. The owner of alpha.adambohil.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
  • Chrome: Your connection is not private. Attackers might be trying to steal your information from alpha.adambohil.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
    *** Additionally, Chrome shows: “This server could not prove that it is alpha.adambohil.com; its security certificate is from tango.adambohil.com. This may be caused by a misconfiguration or an attacker intercepting your connection.”

When I look at the certs on Server B (in IIS and in Local Certificates > Web Hosting folder) the certs have the appropriate names.

What am I missing? I’d really appreciate a point in the right direction. Please let me know if I can provide any additional information.

Thanks!


#2

Please run this in a command prompt and paste the output here:

netsh http show sslcert

This will allow us to confirm the bindings are set right in IIS.


#3

Thanks, Patches. . . .

SSL Certificate bindings:

Hostname:port                : alpha.adambohil.com:443
Certificate Hash             : 6253177823609c63dc1483e910fca1fe4415ad2f
Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name       : WebHosting
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled

Hostname:port                : bravo.adambohil.com:443
Certificate Hash             : 80723e316eadc79ba6cac89bb9a6da0e280686be
Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name       : WebHosting
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled

#4

Both Web Sites are bound to the same (wrong) certificate. I’m not sure why win-acme failed to do this for you. Did it log any errors to the Windows Event Log?

Anyway, to fix it in IIS Manager, right-click on the first Web Site in the left pane and click Edit Bindings, then choose the https binding and click Edit. Under SSL Certificate, choose the correct SSL Certificate, then click OK/Close in both dialogs. Repeat this process for the other Web Site.


#5

Thanks for the information, Patches.

There are win-acme information events logged in the Windows Event Log, but no warnings or errors.

When I edit the bindings there are only two certs available and each site already has the cert with the same name associated. Here’s an example of the first:

image

The cert for the tango subdomain is actually on a different server.

Maybe a dumb question, but could there be a DNS factor here? Should it make any difference that I have sites/subdomains on two different servers using the same domain (I manually control which has access through port forwarding on my router)?

Thanks, again, for your help on this!

-Adam


#6

Hi,

This seems to be a port forwarding issue.

Can you control which server the request you forward into based on domains visited?
Because now it seems all record (https) was forwarded to your first server. (Alpha and braveo return server one config)
All non https (http )request was forwarded to second server.(tango return site not found and curl show second server IIS version)

TL.DR :slightly_smiling_face:
You forwarded all port 80 to server two, (2012 R2)
All port 443 to server one(2008 R2)
You’ll either forward all to one server then use some method separate domains or setup all http on server one and all https on server two.


#7

Ugh - feeling like a huge idiot right now. That’s exactly what it was, @stevenzhu! I forwarded port 80 earlier and forgot/didn’t think to forward 443.

Thanks much @Patches and @stevenzhu for your help.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.