Install Certificate function doesn't set the "Require SNI checkbox"
rabbers opened this issue · comments
When using Install-Certificate, and where fresh bindings ARE created, the SslFlags are not set. This results in a binding being created without the "Require Server Name Indication" checkbox set.
On a system that hosts multiple websites, this is a disaster, because if you then subsequently Install-Certificate into a new site, both of these non-SNI bindings get allocated the new certificate. Obviously this breaks websites if their SslFlags aren't right.
If you look in the code for IisHelper, you can see that the Add for the binding uses a 3 parameter overload, but I have read something that suggests that there is a 4 parameter overload that exists in libraries that come with later windows OS distributions. The UpdateBinding function in the helper looks like it would set the appropriate flags but damage to the server would already have been done.
Regards,
Mark
I produced a workaround in my powershell script yesterday. I now understand that the setting of SslFlags clears the binding to the SSL Cert (Hash and StoreName). It looks to me as though the Certifcate cannot be applied at the same time as the binding is created or at the same time as the SslFlags are changed. You can verify this by use of the "Set-WebBinding" cmdlet with -PropertyName SslFlags and -Value 1, i.e. the flags are set, but the hash is clear.
I couldn't work out how to install the certificate using "Import-Certificate" cmdlet - so I've worked out a way to use Install-ACMECertificate safely - the approach is as follows:
- Configure an additional site in IIS specifically to import certificates - mines called "__acme_installer" but the name is unimportant.
- Remove bindings from this site using Get-WebBinding and Remove-WebBinding as appropriate.
- Use "Install-ACMECertificate" to install the certificate to a FixedIP that isn't used elsewhere within IIS. I don't think that the IP has to be bound, but probably should come from a private address range. I'm using "127.0.0.1", but that's because I don't bind sites to localhost on my box.
Note) You will now have the binding on the additional site, but more importantly the certifcate is correctly imported into IIS Server Certifcates. - On your target site (the one that you're actually trying to set up) use New-WebBinding ensuring that you use -SslFlags 1.
- On your target site, use $binding = Get-WebBinding and $binding.AddSslCertificate(hash, "My"). I already have my hash in my script, but you don't have it, you can use Get-ACMECertificate and powershell filtering to get it.
Here are the relevant code fragments from my script:
"Removing existing SSL Bindings"
$bindings = (Get-WebBinding -Name $WebSiteName | where-object {$_.protocol -eq "https"})
if($bindings -ne $null) {
foreach($binding in $bindings) {
"Removing Binding"
$binding
Remove-WebBinding -InputObject $binding
}
}
"Importing Certificate Into IIS"
$binding = (Get-WebBinding -Name "__acme_installer" | where-object {$_.protocol -eq "https"})
if($binding -ne $null) {
Remove-WebBinding -Name "__acme_installer" -Port 443 -Protocol "https" -IPAddress "127.0.0.1"
}
Install-ACMECertificate -VaultProfile _VaultName_ -CertificateRef $certident -Installer iis -InstallerParameters @{
WebSiteRef = "__acme_installer"
BindingAddress = "127.0.0.1"
PortNumber = 443
}
$cert = Get-ACMECertificate -VaultProfile _VaultName_ -Ref $certident
#We install SNI cert on each binding
foreach ($webname in $webaddresslist) {
"Installing an SNI-based certificate $webname"
New-WebBinding -Name $WebSiteName -Protocol "https" -Port $PortNumber -HostHeader $webname -SslFlags 1
$binding = Get-WebBinding -Name $WebSiteName -Protocol "https" -Port $PortNumber -HostHeader $webname
$binding.AddSslCertificate($cert.Thumbprint, "My")
}