question

JelleJP-3005 avatar image
0 Votes"
JelleJP-3005 asked JelleJP-3005 commented

IIS serves wrong SSL Wildcard certificate

Hi folks,

In the last few years, i've started to increasingly encounter a very frustrating problem with IIS serving a wrong wildcard certificate.
Let me elaborate.
The issue exists on a variety of Windows Servers, so it’s not bound to a specific type of Windows Server or IIS.
Windows 2012R2 - IIS8.5
Windows 2016 - IIS10
Windows 2019 - IIS10

When configured from scratch, our config works well. It can work up to a few weeks, months or even years and then suddenly it stops working and serves the wrong certificate.
An example of our config:
156771-1.png

In IIS we have a site named www.website1.com
www.websitenumberone.com - 123.123.123.111 – Single domain SSL – SNI enabled
www.websiteaboutpizza.com - 123.123.123.111 - Wildcard SSL – SNI enabled
156752-2.png

In IIS we have a site named www.website2.com
www.websitenumbertwo.com - 123.123.123.111 – Single domain SSL – SNI enabled
156733-3.png

Now, the problem is that www.websitenumbertwo.com serves the wildcard SSL from www.websiteaboutpizza.com . The only thing I can do is remove the wildcard SSL from www.websiteaboutpizza.com from the server to fix it.
If I then remove the binding www.websiteaboutpizza.com from www.website1.com and reinstall the wildcard certificate from www.websiteaboutpizza.com , the problem re-emerges instantly (meaning the wildcard gets loaded on websitenumbertwo.com). The only side-note I have is that the binding www.websiteaboutpizza.com remains in the underlaying CMS hostnames (which should not be a problem).
Killing the apppool; Restarting IIS; reconfiguring the bindings have no effect, only the removal of the wildcard, which obviously is not a suitable option.
Nowhere on the web have I found a similar issue.

I hope anyone can give me some fresh insights.

Thanks in advance!


windows-server-iis
1.png (10.8 KiB)
2.png (12.3 KiB)
3.png (10.7 KiB)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JelleJP-3005 ,

I want to know how your certificate match the domain name to know which domain is need to authen. Can you show the image of Subject Alternative name?
157052-1.jpg
Usually, one cause of wrong wildcard certificate is client cache. Have you checked the client-side cache to troubleshoot this problem?


0 Votes 0 ·
1.jpg (164.2 KiB)

Hi BruceZhang,

Many thanks for the fast response!

we've ruled out Client Caching. The SAN name is *.websiteaboutpizza.com , just like the CN.
This problem exists not only with this one specific Wildcard, but also with another wildcard on another server (for another domain). So this also makes it less likely that the issue is within the certificate(s) itself.


Sincerely, Jelle

0 Votes 0 ·

Hi @JelleJP-3005 ,

Please try to use All Unassigned instead of IP address when set site binding.
158079-1.jpg

Another thing is confirm that the selected wild card certificate is correctly.


0 Votes 0 ·
1.jpg (164.2 KiB)
1.jpg (164.2 KiB)
Show more comments

0 Answers