My VPS contains a dozen or so websites, with several SSL certificate including the following.
- *.railtrax.com
- *.insiderarticles.com
Currently, all the *.railtrax.com websites are working fine. But the *.insiderarticles.com website (I only have one) is giving me an error in the browser (note the last paragraph).
Your connection isn't private
Attackers might be trying to steal your information from insiderarticles.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
This server couldn't prove that it's insiderarticles.com; its security certificate is from *.railtrax.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
As you can see, the certificate for insiderarticles.com says it was issued to *.railtrax.com.
Insiderarticles.com Certificate
But I have the correct certificate selected.
Insiderarticles.com Edit Bindings Dialog
If I use Jexus to run binding diagnostics, I get the following errors:
BINDING: http 74.208.136.116:80:insiderarticles.com
Found a conflicting TCP reserved port range. Please run "netsh int ipv4 show excludedportrange protocol=tcp" at command prompt to troubleshoot.
BINDING: http 74.208.136.116:80:www.insiderarticles.com
Found a conflicting TCP reserved port range. Please run "netsh int ipv4 show excludedportrange protocol=tcp" at command prompt to troubleshoot.
BINDING: https 74.208.136.116:443:insiderarticles.com
Found a conflicting TCP reserved port range. Please run "netsh int ipv4 show excludedportrange protocol=tcp" at command prompt to troubleshoot.
BINDING: https 74.208.136.116:443:www.insiderarticles.com
Found a conflicting TCP reserved port range. Please run "netsh int ipv4 show excludedportrange protocol=tcp" at command prompt to troubleshoot.
And if I run the suggested command, I get the following.
But this isn't helpful to me.
Everything else about the certificates appears valid. I installed the certificate for *.insiderarticles.com and it was working fine. After I installed the certificate for *.railtrax.com, that's most likely when insiderarticles.com stopped working.
Could this have anything to do with the Require Server Name Indication checkbox? This checkbox was checked for insiderarticles.com and unchecked for all the *.railtrax.com websites. I tried checking this option for all the *.railtrax.com websites, but it didn't appear to make any difference.
Can anyone recommend next steps to troubleshoot this?
Best Answer
Originally, you could only use a single certificate for an IP:port pair is IIS. This was because host header is not visible during SSL handshake when IIS picks the certificate to be used.
As a solution to this limitation SNI was introduced. It is available in IIS 8 and later and supported by modern browsers (list is here) . You should enable SNI for all web sites, but you might want to have it turned off for a web site which would be used by legacy browsers that do not support SNI. Those legacy browsers would still get SSL certificate name mismatch error.
So your options are one of the following: