Internet Information Services
Microsoft web server software.
1,580 questions
IIS serves wrong SSL Wildcard certificate
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 53%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Jelle_JP
1
Reputation point
Hi folks,
In the last few years, i've started to increasingly encounter a very frustrating problem with IIS serving a wrong wildcard certificate.
Let me elaborate.
The issue exists on a variety of Windows Servers, so it’s not bound to a specific type of Windows Server or IIS.
Windows 2012R2 - IIS8.5
Windows 2016 - IIS10
Windows 2019 - IIS10
When configured from scratch, our config works well. It can work up to a few weeks, months or even years and then suddenly it stops working and serves the wrong certificate.
An example of our config:
In IIS we have a site named www.website1.com
www.websitenumberone.com - 123.123.123.111 – Single domain SSL – SNI enabled
www.websiteaboutpizza.com - 123.123.123.111 - Wildcard SSL – SNI enabled
In IIS we have a site named www.website2.com
www.websitenumbertwo.com - 123.123.123.111 – Single domain SSL – SNI enabled
Now, the problem is that www.websitenumbertwo.com serves the wildcard SSL from www.websiteaboutpizza.com . The only thing I can do is remove the wildcard SSL from www.websiteaboutpizza.com from the server to fix it.
If I then remove the binding www.websiteaboutpizza.com from www.website1.com and reinstall the wildcard certificate from www.websiteaboutpizza.com , the problem re-emerges instantly (meaning the wildcard gets loaded on websitenumbertwo.com). The only side-note I have is that the binding www.websiteaboutpizza.com remains in the underlaying CMS hostnames (which should not be a problem).
Killing the apppool; Restarting IIS; reconfiguring the bindings have no effect, only the removal of the wildcard, which obviously is not a suitable option.
Nowhere on the web have I found a similar issue.
I hope anyone can give me some fresh insights.
Thanks in advance!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 82%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
Bruce Zhang-MSFT 3,736 Reputation points2021-12-13T05:49:21.117+00:00 Hi @Jelle_JP ,
I want to know how your certificate match the domain name to know which domain is need to authen. Can you show the image of Subject Alternative name?
Usually, one cause of wrong wildcard certificate is client cache. Have you checked the client-side cache to troubleshoot this problem? -
Jelle_JP 1 Reputation point
2021-12-14T15:24:30.217+00:00 Hi BruceZhang,
Many thanks for the fast response!
we've ruled out Client Caching. The SAN name is *.websiteaboutpizza.com , just like the CN.
This problem exists not only with this one specific Wildcard, but also with another wildcard on another server (for another domain). So this also makes it less likely that the issue is within the certificate(s) itself.Sincerely, Jelle
-
Bruce Zhang-MSFT 3,736 Reputation points
2021-12-15T07:57:16.677+00:00 Hi @Jelle_JP ,
Please try to use All Unassigned instead of IP address when set site binding.
Another thing is confirm that the selected wild card certificate is correctly.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 22%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Jelle Peters 1 Reputation point2021-12-21T08:13:16.097+00:00 Hi @Bruce Zhang-MSFT ,
sorry for the late response. This will take time to plan as it is a production environment.
I'll give you an update as soon as we've tested your suggestion. -
Jelle_JP 1 Reputation point
2022-01-07T10:43:26.117+00:00 Hi @Bruce Zhang-MSFT ,
i've adjusted the binding as you suggested. I've changed it from <IP> to All Unassigned. After the change the site worked, untill I re-installed the wildcard certificate.
Without changing anything else, the website immediately displayed the certificate error.So the certificate is not selected in ANY binding, but is used by IIS as soon as it is installed.
Sign in to comment