Search code examples
powershelliissni

Creating IIS Site in powershell without SNI

I am trying to create one IIS site in powershell .I want the site to be created without SNI.
I am using iis 10, ( Windows 2016 server ).

I am able to create site with SNI using sslflags=1. But When I try to create without sni, I am running into issues.

Below is my snippet

$SecurePassword = ConvertTo-SecureString "Somepassword" -AsPlainText -Force; 
Import-PfxCertificate -FilePath 'C:\certs\nt111trnch01.pfx' -CertStoreLocation Cert:\LocalMachine\My -Password $SecurePassword; 
Import-PfxCertificate -FilePath 'C:\certs\nt111trnch02.pfx' -CertStoreLocation Cert:\LocalMachine\My -Password $SecurePassword; 
Import-PfxCertificate -FilePath 'C:\certs\nt111trnch03.pfx' -CertStoreLocation Cert:\LocalMachine\My -Password $SecurePassword; 
Import-Module "WebAdministration"; 
New-Item IIS:\Sites\myProj -bindings @{protocol='https';bindingInformation='*:8080:nt111trnch01.sit.abcit';SslFlags=1} -PhysicalPath C:\site; 
New-WebBinding -Name "myProj" -Protocol https -HostHeader nt111trnch02.sit.abcit -Port 8080 -SslFlags 1; \
New-WebBinding -Name "myProj" -Protocol https -HostHeader nt111trnch03.sit.abcit -Port 8080 -SslFlags 1; \
New-Item -Path "IIS:\SslBindings\*!8080!nt111trnch01.sit.abcit" -Thumbprint 145300EC69B3448EE15A54DBCD54647AF8294611 -SslFlags 1; 
New-Item -Path "IIS:\SslBindings\*!8080!nt111trnch02.sit.abcit" -Thumbprint 86C1CD3660F9810DB30CB2E312E197C898I26253 -SslFlags 1; 
New-Item -Path "IIS:\SslBindings\*!8080!nt111trnch03.sit.abcit" -Thumbprint 0C7888C0615615997DB6F9DA9E9A03E4671E3BAD -SslFlags 1; 
New-Item C:\site\myProj -type directory

Note: I am able to create site with single certificate and without SNI. But binding multiple certificates causing the issues.

Thanks in advance

Update 1 I changed all SslFlags vlaue to 0. Now I am getting this error.

New-Item : Cannot create a file when that file already exists
At line:12 char:2
+     New-Item -Path "IIS:\SslBindings\*!8080!nt111trnch02.sit.abci...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-Item], Win32Exception
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand

WARNING: Binding host name 'nt111trnch03.sit.abcit' is not equals to certificate subject name 'CN=nt111trnch03.sit.swcsit, OU=IT Services, O=Mycity 
Company, L=Mycity, S=State, C=Country'. Client may not be able to connect to the site using HTTPS protocol.
New-Item : Cannot create a file when that file already exists
At line:13 char:2
+     New-Item -Path "IIS:\SslBindings\*!8080!nt111trnch03.sit.abci ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-Item], Win32Exception
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand

I went and checked IIS UI. I can see three bindings, but all 3 bindings are using first certificate only. I think this is because of the errors above.

enter image description here

Solution

  • I am able to find a solution for this. I did IP bindng to get it working. Not sure whether it is the correct way.

    I bind IP of server B to server B certificate, ip of Server C to server C certificate and all ip(*) to server A certificate.

    Not sure whether this is correct or should I bind IP to their respective certificate. But this is working . Verified that Netscaler is able to do SSL handshake on all 3 servers

    New-Item IIS:\Sites\myproj-bindings @{protocol='https';bindingInformation='*:8080:nt111trnch01.abcit.sit';SslFlags=0} -PhysicalPath C:\site; 
    New-WebBinding -Name "myproj" -Protocol https -HostHeader nt111trnch02.abcit.sit-IP 10.17.193.235 -Port 8080 -SslFlags 0; 
    New-WebBinding -Name "myproj" -Protocol https -HostHeader nt111trnch03.abcit.sit-IP 10.16.193.237 -Port 8080 -SslFlags 0; 
    New-Item -Path "IIS:\SslBindings\*!8080!nt111trnch01.abcit.sit" -Thumbprint 145300EC69B3448EE15A54DBCD54647AF8294611 -SslFlags 0; 
    New-Item -Path "IIS:\SslBindings\10.16.193.235!8080!nt111trnch02.abcit.sit" -Thumbprint 86C1CD3660F9810DB30CB2E312E197C898I26253 -SslFlags 0; 
    New-Item -Path "IIS:\SslBindings\10.16.193.237!8080!nt111trnch03.abcit.sit" -Thumbprint 0C7888C0615615997DB6F9DA9E9A03E4671E3BAD -SslFlags 0;

    Please let me know if this is not the correct way.

    Thanks.