starred/win-acme-win-acme
1
0
Fork 0
mirror of https://github.com/win-acme/win-acme.git synced 2026-04-27 03:55:56 +03:00
Code Issues Projects Packages Wiki Activity
Page: HTTPS Binding With Specific IP
Pages
A specified logon session does not exist Advanced logging Advanced usage Apache 2.4 basic usage Application Logging Application Settings Azure DNS validation Basic usage CSR Plugins Command Line Arguments Command line Create a SAN certificate Custom plugins DNS validation plugins Development Enhancement voting Example Scripts HTTP Validation Plugins HTTPS Binding With Specific IP Home How To Run How to Compile From Source Code IIS 7.5 and Lower Install script Installation plugins Issues and workarounds Load balancing Microsoft Exchange Microsoft Remote Desktop Server Migration to v1.9.5 Migration to v1.9.9 Migration to v2.0.0 Missing Certificate Chain Plugins Renewal Management Store plugins Target plugins Task Scheduler Uninstall instructions Upgrades Validation issues Validation plugins web_config.xml
3 HTTPS Binding With Specific IP
John Lafitte edited this page 2017-04-25 13:43:49 -05:00
Table of Contents

Overview

There are potential issues with the application if it creates a new HTTPS binding with a specific IP address instead of with any unassigned IP address if Server Name Indication (SNI) is used. SNI is supported on IIS 8 and up, and is used by default in the application if you have IIS 8 or greater.

Issue

The issue is that any other sites using HTTPS on that same IP address will always use the most recent certificate you install through the application. This may cause other sites to return the incorrect SSL certificate. This is only an issue on IIS 8 and up when Server Name Indication is used and the HTTP binding is listening on a specific IP address.

Resolution

If you are seeing the incorrect SSL certificate being returned for domain names after you entered Y at the prompt, you should be able to follow these steps to mitigate the issue and potentially resolve it.

  1. Open the IIS Manager and go to one of the sites returning the incorrect SSL certificate.
  2. Click Bindings under the actions menu on the right hand side.
  3. Locate the HTTPS binding showing the incorrect certificate.
  4. Select it.
  5. Click the Edit button.
  6. Uncheck Require Server Name Indication.
  7. Ensure the correct SSL certificate is selected.
  8. Click OK.
  9. Locate the same HTTPS binding again.
  10. Select it.
  11. Click the Edit button.
  12. Check Require Server Name Indication.
  13. Click OK.
  14. Check the site again. You may have to force refresh the page, or use a new browser to force it to reload the SSL certificate.

If it doesn't work right away, you may have to wait for the Application Pool's Idle Timeout time is reached. Restarting or recycling the Application Pool/ IIS/ Server will not change the certificate. Only waiting for the Idle Timeout time will change the certificate.

If that doesn't fix any additional HTTPS bindings, you may need to perform the same steps on all bindings serving the incorrect SSL certificate.

Avoidance

You can avoid the issue by manually creating the HTTPS binding through the IIS Manager first. The application will then update the certificate used by that existing binding instead of creating a new one.

You can also avoid it by setting your HTTP bindings to listen on all unassigned IP addresses instead of specific IPs.

Application Prompt

If you have a specified IP address for the HTTP binding you are having the application create a HTTPS binding for, it will give you the following prompt.

Warning creating HTTPS Binding for {host}.
The HTTP binding is IP specific; the app can create it. However, if you have other HTTPS sites they will all get an invalid certificate error until you manually edit one of their HTTPS bindings.
You need to edit the binding, turn off SNI, click OK, edit it again, enable SNI and click OK. That should fix the error.
Otherwise, manually create the HTTPS binding and rerun the application.
You can see https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/HTTPS-Binding-With-Specific-IP for more information.
Press Y to acknowledge this and continue. Press any other key to stop installing the certificate

If you press Y it will create the HTTPS binding for the same IP address the HTTP binding is using. You will then want to read through the Resolution steps to mitigate the issue.

If you press any other key it will exit the application.

Please refer to https://pkisharp.github.io/win-acme/ for up-to-date documentation.