Ssl – SNI and wildcard SSL certificates on the same server with IIS

azureiissnisslssl-certificate

I'd like to host a website that should listen to subdomains (e.g. sub.domain.com) together with multiple websites that live just under a second-level domain (e.g. domain2.com, domain3.com) with IIS and with SSL.

For the website with the subdomains I have a wildcard certificate (*.domain.com) and I also have certificates specifically for the other sites (domain2.com and domain3.com).

Can such a setup be hosted on the same IIS (if that matters, in an Azure Cloud Service web role)?

The issue is exactly what titobf explained here: theoretically for this we'd need bindings using SNI, with the host specified for domain2/3.com and then a catch-all website with * host for *.domain.com. But in practice no matter how the bindings are set up if the catch-all website is on it will also receive all requests to domain2/3.com (although supposedly it's matched only as a last resort).

Any help would be appreciated.

Still unsolved

Unfortunately I wasn't able to solve this: it seems to be solvable only in extremely complicated ways, like creating a software that sits between IIS and the internet (so basically a firewall) and modifies incoming requests (before the SSL handshake takes place!) to allow the scenario. I'm fairly confident this is not possible with IIS, no matter what, not even from a native module.

I have to clarify: we use Azure Cloud Services, so we have a further constraint that we can't use multiple IP addresses (see: http://feedback.azure.com/forums/169386-cloud-services-web-and-worker-role/suggestions/1259311-multiple-ssl-and-domains-to-one-app). If you can point multiple IPs to your server then you don't have this issue since you can create bindings for IPs too, and those will work together wildcard bindings. More specifically, you need an IP for the wildcard site (but since you have a separate IP now you wouldn't have to configure a wildcard host name binding) and another IP for all other non-wildcard ones.

Actually our workaround was the usage of a non-standard SSL port, 8443. So the SNI binding is actually bound to this port, thus it works along with the other bindings. Not nice, but an acceptable workaround for us until you can use multiple IPs for web roles.

The non-working bindings now

The first https binding is SNI with a simple certificate, the second is not SNI, with a wildcard certificate.

The http site works, as well as the SNI https site, but the one with the wildcard binding gives an "HTTP Error 503. The service is unavailable." (without any further information, no Failed Request Tracing or Event Log entry).
Bindings

Finally getting it basically working

Enabling the ETW trace log like Tobias described showed that the root error was the following:

Request (request ID 0xF500000080000008) rejected due to reason:
UrlGroupLookupFailed.

As far as I understand this means that http.sys is not able to route the request to any available endpoint.

Checking the registered endpoints with netsh http show urlacl showed that there was indeed something registered for port 443:

Reserved URL            : https://IP:443/
    User: NT AUTHORITY\NETWORK SERVICE
        Listen: Yes
        Delegate: No
        SDDL: D:(A;;GX;;;NS)

Removing this with netsh http delete urlacl url=https://IP:443/ finally enabled my SSL binding.

Best Answer

Baris is right! The SSL certificate configured on an IP:PORT binding (example: 100.74.156.187:443) always takes precedence in http.sys! So the solution is as follows:

Do not configure an IP:443 binding for your wildcard-fallback-certificate but configure a *:443 binding (* means "All Unassigned") for it.

If you have configured your wildcard certificate on the Azure Cloud Service SSL endpoint (as i have) you have to change the SSL binding created by the Azure Cloud Service Runtime (IISconfigurator.exe) from IP:PORT to *:PORT. I am calling the following method in OnStart of my web role:

public static void UnbindDefaultSslBindingFromIp()
{
    Trace.TraceInformation(">> IISTenantManager: Unbind default SSL binding from IP");
    using (var serverManager = new Microsoft.Web.Administration.ServerManager())
    {
        try
        {
            var websiteName = string.Format("{0}_Web", Microsoft.WindowsAzure.ServiceRuntime.RoleEnvironment.CurrentRoleInstance.Id);
            var site = serverManager.Sites[websiteName];
            var defaultSslBinding = site.Bindings.Single(b => b.IsIPPortHostBinding && b.Protocol == "https");
            defaultSslBinding.BindingInformation = string.Format("*:{0}:", defaultSslBinding.EndPoint.Port);
            serverManager.CommitChanges();
        }
        catch (Exception ex)
        {
            Trace.TraceError(ex.ToString());
        }
    }
}

The following screenshot shows a working configuration of our cloud service. Please don't be confused about the non-standard ports. The screenshot is from the emulated cloud service.

working IIS configuration

One further thing to mention: Do not change all bindings to * because the HTTP (port 80) binding only works with IP:PORT binding in the deployed cloud service. Something else is bind to IP:80 so *:80 does not work because * stands for "all unassigned" and the IP is already assigned somewhere else in http.sys.

Related Topic