Welcome to ISAserver.org

Wildcard SSL error

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> Web Publishing >> Wildcard SSL error

Page: [1]

Message

<< Older Topic Newer Topic >>

Wildcard SSL error - 18.Aug.2004 8:59:00 PM

stefanavg

Posts: 31
Joined: 18.Aug.2004
From: Belgium
Status: offline

Greetings,

I'm having trouble to configure my setup with a wildcard SSL.

Setup:

1 ISA server
1 webserver :hosting 3 websites

WEBSERVER test1.domain.com cert CN = test1.domain.com |
test2.domain.com cert CN = test2.domain.com |
test3.domain.com cert CN = test3.domain.com |

<- ISA: Cert CN = *.domain.com

A) I use a public test cert from THAWTE *.domain.com that I have bound to a
weblistener on my ISA I have 10 weblisteners
B) I have 3 websites, on 1 webserver,whom I have isssued each a
certificate from my W2K subCA as drawn above. Connection is based on
host headers.
C) I created for each website a web publishing rule.

Situation:

Only 1, test1.domain.com, website can be reached if I use the redirect SSL traffic as SSL requests
The other 2 websites can only be reached when I use the redirect SSL traffic as HTTP option, when I use the redirect SSL traffic as SSL
requests option I get the famous:

500 Internal Server Error - The target principal name is incorrect.
-2146893022
Internet Security and Acceleration Server

Have I forgotten something ??

Txs for the feedback,

Stefan

Post #: 1

Featured Links*

RE: Wildcard SSL error - 19.Aug.2004 8:52:00 AM

ljp1967

Posts: 192
Joined: 23.Sep.2003
From: Australia
Status: offline

hi stefanavg,

have you got your dns resolution setup properly...?

you may need to edit the "host" file on your isa to include the other FQDN's for your multiple websites...

ie:
internal ip of web server test1.domain.com
internal ip of web server test2.domain.com
internal ip of web server test3.domain.com

Then in your web publishing rules make sure the destination is the FQDN, not an ip address or the internal name of the webserver....(also use original host header checkbox)

HTH,
ljp

(in reply to stefanavg)

Post #: 2

RE: Wildcard SSL error - 19.Aug.2004 9:12:00 AM

stefanavg

Posts: 31
Joined: 18.Aug.2004
From: Belgium
Status: offline

ljp,

Thanks for your reply.

My host file includes all 3 webservers (name resolution is working fine)
My 3 publishing rules are all configured using the FQDN of the websites (3 FQDN, 1 IP address) and the original hostheader option is checked.

BTW this is a ISA 2000 server and W2K SP4
webserver.

Greetz,

Stefan

(in reply to stefanavg)

Post #: 3

RE: Wildcard SSL error - 19.Aug.2004 12:54:00 PM

ljp1967

Posts: 192
Joined: 23.Sep.2003
From: Australia
Status: offline

Hi stefanavg,

The only thing I can think of is maybe your certificates haven't been imported into ISA properly....check these MS Kb articles....

http://support.microsoft.com/default.aspx?kbid=292569

http://support.microsoft.com/default.aspx?scid=kb;en-us;837350

The ISA server has to be able to read the private key in the cert....one way to test is to open the cert in cert mmc on your isa and do a copy to file option, if the export private key option is not available, then you will need to re-export from the website (including the private key [marked as exportable])...

HTH,
ljp

(in reply to stefanavg)

Post #: 4

RE: Wildcard SSL error - 19.Aug.2004 4:34:00 PM

stefanavg

Posts: 31
Joined: 18.Aug.2004
From: Belgium
Status: offline

ljp,

Txs for your reply, I found the problem.

It actualy is a host header in combination with SSL problem.

If used only 1 IP address for my webserver, and differtiated them by host header.

The problem is that the host header info is encapsulated in the SSL encryption and so the website, upon recieving the request, has no clue what to do with the demand.

I added 2 ip address so each website has 1 IP address and everything works fine.

txs for your feedback,

Greetings,

Stefan

(in reply to stefanavg)

Post #: 5