|
Suppose there is a scenario where we have multiple sites (such as site1.example.com, site2.example.com, and site3.example.com) bound to the same IP: PORT and distinguish different host headers. We have applied for and installed a certificate for each SSL site. When browsing the website, users still see the error of certificate mismatch. IIS When an https request arrives at the IIS server, the https request is encrypted, and you need to obtain the corresponding server certificate to decrypt the request. Because the certificates corresponding to each site are different, the server needs to judge which certificate to use for decryption through different host headers in the request. However, the host header is also encrypted as part of the request. Finally, IIS had to use the first site certificate bound to the IP: PORT to decrypt the request, which may cause the request to other sites to fail and report an error. Solution - The first solution binds each https site to a different port. But in this case, the client must manually specify the port when browsing the web page, such as //site. domain. com: 444
- The second solution is to assign an independent IP address to each site, so that the conflict can be resolved, and even the host header does not need to be added.
- The third solution is to use wildcard certificates. We use a wildcard certificate issued to. domain.com. For our example, we should use a certificate issued to. marei.com, so that any request to access the domain can be decrypted through the certificate, and the certificate matching error will disappear.
- The fourth solution is to upgrade to IIS8, which adds support for SNI (Server Name Indication). The server can extract the corresponding host header from the request to find the corresponding certificate.
For SNI opening mode, please refer to |
