When we use a windows server to configure a multi-site SSL certificate, we often report an error message "At least one other website is using the same HTTPS binding, and this binding is configured with another certificate. Do you want to reuse this HTTPS binding and re-specify other websites?" Do you want to use a new certificate?" Since each site has a different certificate, the server needs to use different host headers in the request to determine which certificate needs to be used for decryption. However, the host header is also encrypted as part of the request. In the end, IIS had to use the first site certificate bound to the IP:PORT to decrypt the request, which may cause the request to other sites to fail and report an error.
By default, it is not possible to specify a host name for HTTPS bindings using versions below IIS8. The content of "Hostname" is grayed out and cannot be edited. This brings about a big problem. When two different domain names are bound to an IIS server, only HTTPS for one website can be enabled on the host, and HTTPS for the second website cannot be enabled.
When we encounter such a problem, we have the following solutions:
One is to assign an independent ip to each site, so that the conflict is resolved, and even the host header does not need to be added.
The second is to use wildcard certificates. We use a wildcard certificate to issue to *.abc.com. If we use a certificate issued to *.abc.com, any access request can be decrypted through this certificate, and the certificate matching error will no longer exist.
The third is to upgrade to IIS8. The support for SNI (Server Name Indication) is added in IIS8. The server can extract the corresponding host header from the request to find the corresponding certificate.
4. If you don't want to upgrade the IIS version, you only need to find a way to modify the gray non-editable host name, which needs to be done manually.
Due to the first two methods, adding ip and purchasing wildcard certificates will increase our cost. We focus on the latter two methods:
Let's first talk about the way to upgrade IIS. Since the editor's host is already in IIS8 version, we will start to operate directly.
Install the server certificate, enter IIS, click the host name, and select the server certificate, as shown below:
Click Import on the right, as shown below:
Select your own certificate file and confirm:
Add website binding, as shown below
Note: Here, select https for the type, 443 for the port, and fill in your own domain name for the host name. You must check the check box before "Require server name indication", and select the certificate of your own website for the SSL certificate; click OK, and we will test if the browser The configuration is successful if the address bars of the two websites in the website are similar to the following:
The method of deploying multiple HTTPS in multiple domain names of IIS server (Figure 6)
Let's talk about the configuration of IIS7
First find the location of the IIS configuration file at:
Note: This file cannot be opened and edited directly. You can copy it to the desktop for editing, and then overwrite it after editing.
Find the following location:
<bindings> <binding protocol="net.tcp" bindingInformation="808:*" /> <binding protocol="net.pipe" bindingInformation="*" /> <binding protocol="net.msmq" bindingInformation="localhost" /> <binding protocol="msmq.formatname" bindingInformation="localhost" /> <binding protocol="http" bindingInformation="*:80:www.abc.com" /> <binding protocol="https" bindingInformation="*:443:" /> </bindings>
Let's modify the configuration of *:443: and change it to the following configuration:
<binding protocol="https" bindingInformation="*:443:www.abc.com" />
After the modification is complete, overwrite the file back, then return to the IIS console (without restarting), and you can see that the host name has been successfully bound.
At this time, the site can be activated normally.