I’d like to first point out that I’m new to SSL certs in every way. Here’s my setup:
Server A (Server 2008 R2, IIS v7.5)
I used LetsEncrypt-win-simple v1.9.3 to generate/install an SSL cert for my site: tango.adambohil.com. Everything went smoothly and I was able to access https://tango.adambohil.com without any issues (site has since been taken down).
I then decided to experiment with a couple sites on an SNI-compatible version of IIS and spun up the VM below.
Server B (Server 2012 R2, IIS v8.5)
I created two sites on this server -- alpha.adambohil.com and bravo.adambohil.com. I was able to reach the non-secure/http versions of each of these sites. I then used Win-Acme v1.9.10 (formerly LetsEncrypt-Win-Simple) to generate/install certs.
However, when I try to visit the secure/https sites, I get the following errors:
IE: This site is not secure. This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately. The hostname in the website’s security certificate differs from the website you are trying to visit. Error Code: DLG_FLAGS_SEC_CERT_CN_INVALID
Firefox: Your connection is not secure. The owner of alpha.adambohil.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Chrome: Your connection is not private. Attackers might be trying to steal your information from alpha.adambohil.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
*** Additionally, Chrome shows: “This server could not prove that it is alpha.adambohil.com; its security certificate is from tango.adambohil.com. This may be caused by a misconfiguration or an attacker intercepting your connection.”
When I look at the certs on Server B (in IIS and in Local Certificates > Web Hosting folder) the certs have the appropriate names.
What am I missing? I’d really appreciate a point in the right direction. Please let me know if I can provide any additional information.
Both Web Sites are bound to the same (wrong) certificate. I’m not sure why win-acme failed to do this for you. Did it log any errors to the Windows Event Log?
Anyway, to fix it in IIS Manager, right-click on the first Web Site in the left pane and click Edit Bindings, then choose the https binding and click Edit. Under SSL Certificate, choose the correct SSL Certificate, then click OK/Close in both dialogs. Repeat this process for the other Web Site.
There are win-acme information events logged in the Windows Event Log, but no warnings or errors.
When I edit the bindings there are only two certs available and each site already has the cert with the same name associated. Here’s an example of the first:
The cert for the tango subdomain is actually on a different server.
Maybe a dumb question, but could there be a DNS factor here? Should it make any difference that I have sites/subdomains on two different servers using the same domain (I manually control which has access through port forwarding on my router)?
Can you control which server the request you forward into based on domains visited?
Because now it seems all record (https) was forwarded to your first server. (Alpha and braveo return server one config)
All non https (http )request was forwarded to second server.(tango return site not found and curl show second server IIS version)
TL.DR
You forwarded all port 80 to server two, (2012 R2)
All port 443 to server one(2008 R2)
You’ll either forward all to one server then use some method separate domains or setup all http on server one and all https on server two.