Removing HTTPS binding affects other sites?

Question

User439834821 posted

My scenario:

• Multiple HTTP sites (example1.com, example2.com, etc.) on same IP
• Wildcard *.example.com cert that is used for WebDAV publishing over HTTPS for these same sites (wedav1.example.com, webdav2.example.com, etc.)
• So each site has one HTTP binding, and one HTTPS (only for publishing)
• Anonymous authentication for HTTP, Basic enabled for WebDAV over HTTPS

Everything worked fine, until I recently added a new site, which exhibited two problems:

• WebDAV (XP/Vista clients) get the usual password request, followed by a certificate request
• I cannot delete the site or remove the HTTPS binding without getting a message like this:

---------------------------
Site Bindings
---------------------------
The certificate associated with this binding is also assigned to another site's binding. Deleting this binding will cause the HTTPS binding of the other site to be unusable. Do you still want to continue?
---------------------------
Yes   No   Cancel  
---------------------------

I don't know what's wrong with this new site. Apparently the usual setup steps were followed, but now I can't even delete it out of fear of losing the wildcart certificate that is also used by other sites, and I am a bit at loss.

Any advice?

Thanks!

Answer 1

User511787461 posted

There are 2 parts of an "SSL binding" - the host:ip:port information that is in applicationhost.config which is unique to each site (eg: webdav1.example.com:443:ip) and the mappings of an ip:port combination to a server certificate in http.sys configuration which in this case is shared across all your sites using the wildcard certificate - removing the bindings in the UI will remove both those things which will of course make your other sites non-functional - you need to remove just the binding in applicationhost.config using other means like appcmd/editing in notepad etc.

Answer 2

User439834821 posted

Thank you, manual editing of the .config file did it. It allowed me to remove and readd the site, and the other problem is solved as well. Maybe this should be filed as a bug in IIS manager though?

Answer 3

User648371956 posted

Hello!

I have the same problem I can't fix.
So I have a SBS 2008 which after installing the certificate does not allow to start the "default" website because another site (SBS Web Application) is using the same port.

I understood that a manual editing of the config file will solve the problem but I am not sure what I must edit to get it working.
Can you be more specific for a "novice" like me?

Thank you!

Gabe

Answer 4

User-47214744 posted

The problem that you are facing does not seem to be the exact same problem. The problem mentioned before was two sites using SSL and Wildcard certificates which when deleted can cause problems in between each other.

If I'm reading correctly your mail it sounds like you just have a port# conflict. You can only have one site with the exact same bindings which it looks like you are having that problem. You should open the IIS Manager (inetmgr.exe) and expand the Tree to get to the Sites node, see the Bindings column. Probably two sites have the same *:80 binding. You can only start one of them so you'll need to stop the other. If you want to have both running you could either edit the Bindings (click Bindings...) and change the port # of one of them or use a host name.

Answer 5

User976359461 posted
I just fixed the same problem you are describing with my SBS 2008 install. I think this takes place when SSL is turned on for the default web site, which adds the two bindings (one in applicationhost.config, and the UI binding). Just as described above, you are unable to remove the binding in the UI without affecting everythnig else, but if you go to %windir%\System32\inetsrv\config and delete the binding info their for the default website, it will start working again (as long as no sites in your default web site need SSL, if so you could edit it their, I assume, as well) As always make sure and make a backup before you edit. Hope this helps.

Answer 6

User-2068698782 posted
I just found this post from 2008. We have this issue actually 2 years later. We have iis 7.0 win2k8 64 bits, a lot of sites and bindings, and a wildcard certificate. Is there a fix that exist for the IIS 7 manager that solve this issue? It's very annoying to have all our https sites down for a few seconds every time we change a https setting on any of our sites.

Answer 7

User-47214744 posted

There is no fix available, correct me if I'm wrong but this should only happen when you delete a binding to a site and my recommendation would be to use maybe AppCmd.exe for that. Or do you see it in other scenarios as well?

Answer 8

User-2068698782 posted
This is exact, when I remove a https binding, the console show me a warning telling me that there is a conflict between this site and another one (without telling me which one). When I push OK, my other sites (all others I think) stops working in https. Then, when I edit one binding and re-assign the generic (*) ssl certificate, that all restarts fine. Sometimes, I also have to recycle some pools, but not every time. In the event log, I see that a binding have been removed, and again, it does not tell me which one. If I edit directly the application.config, does my pool will all recycle? Or else I will use appcmd or doing it programmatically from a vbscript or any other technique.

Answer 9

User-2068698782 posted
1 new addition to this topic. We just tried to use the Microsoft.Web.Management dotnet dll found in C:\Windows\System32\inetsrv, and when we remove our https binding using this dll, it generates the same error, we have to re-enable ssl binding (just open binding, edit ssl, then choose certificate, then save). So, this dll and the IIS management console uses exactly the same code when saving the binding. We'll try to remove our binding using WMI, it may be the only solution. Because appcmd.exe is located in the same directory make us think that it will do the same error but we did not tried yet. If we remove the binding with notepad by editing directly the applicationhost.config, it works fine. We have to find a good solution other than notepad :D

Answer 10

User-47214744 posted

Indeed Microsoft.Web.Administration will have the same effect since IIS Manager is the API that it uses to do those changes. You will need to use either AHADMIN or AppCmd, none of those will have that problem.

Answer 11

User598648738 posted

Am I right that Microsoft doesn't want to fix this issue?

It's definetly a problem of the IIS Manager.

Notepad/AHADMIN/AppCmd is not a solution, it's a workaround. It's too risky to edit .config file manually.

Answer 12

User-2068698782 posted

There is another issue we found with iis manager + ssl...

We are using a Wildcard certificate from GoDaddy, and we CAN'T add any https binding in the console using that certificat, like if it is invalid!

Seems like the wildcard godaddy ssl certificate contains something that iis management console doesn't like.

But, we CAN in the notepad applicationhost.config file manually!

So now, we must use notepad to remove AND add ssl binding!

Please MS fix these SSL / Wildcard / Binding issues from the IIS management console. (Win 2008 R2)