User1696166799 posted
I'm having a strange issue with IIS8.5 on Windows 2012 Server trying to select a wildcard SSL cert for site bindings with SNI flag enabled. Earlier I had a single SSL certificate to be selected for all bindings and hence I did not need to set SNI flag
for bindings, but to support multiple SSL certs on a single IP, I had to make this change.
I am able to assign the SSL cert to binding if I do not set the SNI flag.
Here is what I did:
I copied my new wildcard SSL certificate to WebHosting store of my Local Machine.
Now there are two ways to assign the Certificate Hash for the binding through C#:
1. binding["certificateHash"] =<<ThumbPrint of the certificate>>
2. using X509Store i.e.
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly);
var certificate = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, true);
binding.CertificateHash = certificate[0].GetCertHash();
In both the cases, binding is added successfully to the site, however, no certificate is selected for the binding and I get the following error:
Error: Attempted to access an unloaded appdomain. (Exception from HRESULT: 0x80131014)
Stack Trace:
System.StubHelpers.StubHelpers.InternalGetCOMHRExceptionObject(Int32 hr, IntPtr pCPCMD, Object pThis, Boolean fForWinRT) at System.StubHelpers.StubHelpers.GetCOMHRExceptionObject(Int32 hr, IntPtr pCPCMD, Object pThis) at Microsoft.Web.Administration.Interop.IAppHostMethodInstance.Execute()
at Microsoft.Web.Administration.BindingManager.Save() at Microsoft.Web.Administration.ServerManager.CommitChanges()
Am I doing something wrong with the configurations or CERT installations? Below is the full code for your reference:
private void AddBindings(string thumbprint)
{
string ports = "443" ;
string protocols = "https" ;
using (ServerManager serverManager = new ServerManager())
{
var site = serverManager.Sites.FirstOrDefault(s => s.Name.Equals(siteName, StringComparison.OrdinalIgnoreCase));
if (site != null)
{
BindingCollection bindingCollection = site.Bindings;
Binding binding = site.Bindings.CreateElement("binding");
binding["protocol"] = protocols;
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly);
var certificate = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, true);
if (certificate.Count > 0)
{
binding.CertificateHash = certificate[0].GetCertHash();
binding.CertificateStoreName = "Personal";
}
binding["sslFlags"] = 1;
binding["bindingInformation"] = string.Format(CultureInfo.InvariantCulture, "{0}:{1}:{2}", "*", ports, HostName);
bindingCollection.Add(binding);
serverManager.CommitChanges();
}
}
}
In above code, thumprint is passed for the wildcard SSL depending on the host name for the site.
Note: One thing I want to add here is that bindings are added fine when done manually through user interface in IIS. I am facing this issue only when trying to create bindings at runtime through C#, Microsoft.Web.Administration
