多个SSL域到一个Azure云服务站点 [英] Multiple SSL domains to one Azure Cloud Service Site

问题描述

我们有一个在Windows Azure云服务上运行的网络应用程序，网址为 我们的app.cloudapp.net 。
我们从 my.ourapp.com 创建了一个CName记录，以指向此云服务。

我们现在要求允许其他网域（ my.secondapp.com strong>）准确访问在 my.ourapp.com 上显示的内容。

我们可以创建一个新的云部署，但我们不希望托管和维护一个单独的部署的额外成本。我们还考虑在除了443之外的端口上添加另一个https EndPoint，但是从我读过的端口，这意味着我们的用户必须使用：444后缀浏览我们的网站。

在互联网上做了一些挖掘后，我们遇到了这篇文章： http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/ 。它说，使用IIS8和SNI，我们可以有一个云服务的多个证书。

但是，我们无法使其工作 - 导航到 my.secondapp.com 会显示证书警告，说明所提供的证书实际上是 my.ourapp.com 。

以下是更多指针：

• my.ourapp.com 和 my.secondapp.com 似乎已正确安装（一个通过通常的Azure方法，一个通过SNI代码在上面的文章）。当我远程访问我们的网络角色并去ISS时，他们都在服务器证书部分。




• 不知道这是否有所作为，但我读了一些文章前面：在MMC中的Web主机部分没有证书。我手动添加了证书管理单元，并导入了 my.secondapp.com 证书，但无效。




• 在IIS中，我们在我们的服务器下有一个常见的Azure web角色网站 - 类似于RD0001683008。当我查看网站绑定选项时，我看到：

主机名 | 端口 | IP
$ b

http | （空白） | 80 | 10.26.130.10

https | （空白） | 443 | 10.26.130.10

https | my.secondapp.com | 443 | 10.26.130.10

• 我试图在前两行的主机名部分输入 my.ourapp.com ，希望只能选择而不是 my.secondapp.com ，但没有运气。我试图将IP地址的组合更改为所有未分配，但再次，没有运气。




• 我已删除 my.secondapp.com / strong>，并在IIS中添加了与 my.ourapp.com （相同的应用程序池和网络空间）相同的详细信息的新网站。




• 另一件需要注意的事情是，这是一个不可用的服务，但是我不确定是否应该继续探索这个选项。 SSL证书本身。它由第三方生成，与我们拥有的 my.ourapp.com 证书略有不同。通常，我们得到一个.crt文件，并将其导出为.pfx。当我尝试导出新的证书时，.pfx选项是灰色的，我只能选择.cer。我做了一些魔术，并设法导入，不知何故将其导出到pfx，提供一个密码。也许第三方应该在过程中早些时候用密码创建证书？此外，第三方提供了三个证书（AddTrustExternalCARoot.crt，my_secondapp_com.crt，PositiveSSLCA2.crt）。我只使用my_secondapp_com.crt - 应该使用其他人还是链接他们？




• 打开证书本身表示此证书用于以下目的： 并具有通常的确保远程计算机的身份，证明您的身份到远程计算机。但也有另外两条线1.3.6.1.4.1.6449.1.2.2.7和2.23.140.1.2.1，这不在我们有任何其他证书。




• 最后，在蓝色门户的证书部分查看证书。新证书的主题有CN = my.secondapp.com，OU = PositiveSSL，OU =由托管爱尔兰托管，OU =域控制验证，而我们的正常证书有更多的选择：CN = my.ourapp.com ，OU =域控制验证 - RapidSSL（R），OU =请参见www.rapidssl.com/resources/cps（c）11，OU = GT1234567，O = my.ourapp.com，C = IE，SERIALNUMBER = sOmESerIalNumBEr。这可能与它有关吗？

对不起，长的问题 - 我想尽可能多的细节可能会有帮助。

我真的很感激任何帮助。

解决方案

为了防止其他人需要帮助，有两个问题：

1. 我使用的SSL证书没有正确链接。如果您从提供商获得3个证书，您需要使用IIS和MMC正确安装它们。有关详情，请参见此处。


2. SNI文章确实有效。我们的问题是约束性秩序。我们结束了以下订单：

正如你所看到的，我们必须玩弄这个工作，但是下面的绑定意味着两个域都指向同一个

您会注意到我们已在 my.ourapp.com 中添加两次 - 启用和一个IP地址和其他没有。 SNI不能在Windows XP上使用IE - 我们添加了最后一个选项作为默认，非SNI绑定，所以我们的主域总是工作，即使在IE& XP。

希望能帮助别人。

We have a web application running on Windows Azure Cloud Service at ourapp.cloudapp.net. We created a CName record from my.ourapp.com to point to this cloud service. This domain is secured with SSL.

We now have a requirement to allow a different domain (my.secondapp.com) access exactly what is seen on my.ourapp.com.

We could create a new cloud deployment but we don't want the extra cost to host and maintain a seperate deployment. We also thought about adding another https EndPoint on a port other than 443 but from what I have read, this meant our users would have to navigate our site with the ":444" suffix.

After doing some digging on the internet - we came across this article: http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/ . It states that using IIS8 and SNI we can have multiple certificates for one cloud service.

However, we can't get this to work - navigating to my.secondapp.com gives a certificate warning saying the cert provided is actually for my.ourapp.com.

Here are some more pointers:

• The cert for both my.ourapp.com and my.secondapp.com appear to be installed correctly (one via the usual Azure method and one via the SNI code in the article above). When I remote into our web roles and go to ISS - they are both present in the 'Server Cerificates' section.

• Not sure if this makes a difference, but I read it on some article earlier: there are no certificates in the "Web Hosting" section in the MMC. I manually added a Snap-In for Certificates and imported the my.secondapp.com cert but to no avail.

• In IIS we have the usual Azure web role site under our server - something like 'RD0001683008'. When I look at the Site Binding options I see:

Type | Hostname | Port | IP

http | (blank) | 80 | 10.26.130.10

https | (blank) | 443 | 10.26.130.10

https | my.secondapp.com | 443 | 10.26.130.10

• I tried to enter my.ourapp.com into the hostname part in the first two lines hoping that it would only pick up that hostname and not my.secondapp.com, but no luck. I tried changing a combinationg of IP addresses to 'All Unassigned' but again, no luck. Would I need to restart the site or application pool?

• I removed the binding for my.secondapp.com and added a new Site in IIS with the same details as my.ourapp.com (same Application Pool and web space). This did give me a 503 Service Unavailable which was something different, but I'm not sure if I should continue exploring this option.

• Another thing to note is the SSL cert itself. It was generated by a third party and is somewhat different to the my.ourapp.com cert we have. Usually, we get one .crt file and export this to .pfx. When I try to export the new cert, the .pfx options are greyed out and I can only choose .cer. I did some magic and managed to import and somehow export it to pfx, providing a password along the way. Maybe the third party should of created the cert with a password earlier in the process? Also, the third party provided three certs (AddTrustExternalCARoot.crt, my_secondapp_com.crt, PositiveSSLCA2.crt). I only used my_secondapp_com.crt - should I use the others or chain them?

• Opening the cert itself states that "This cert is intended for the following purposes:" and has the usual "Ensures the identity of a remote computer", "Proves your identity to a remote computer". But also has two other lines "1.3.6.1.4.1.6449.1.2.2.7" and "2.23.140.1.2.1" which aren't on any other cert we have.

• Finally, when looking at the cert in the Certificates section in the azure portal. The subject for the new cert has "CN=my.secondapp.com, OU=PositiveSSL, OU=Hosted by Hosting Ireland, OU=Domain Control Validated" while our normal cert has many more options: "CN=my.ourapp.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT1234567, O=my.ourapp.com, C=IE, SERIALNUMBER=sOmESerIalNumBEr". Could this have something to do with it?

Sorry for the long question - I thought giving as much detail as possible might help.

I'd really appreciate any help.

解决方案

Just in case someone else needs help on this, there were two problems:

1. The SSL cert I was using wasn't chained correctly. If you get 3 certs from your provider, you need to install them correctly using the IIS and MMC. See here for more info.
2. The SNI article did work. The problem for us was the binding order. We ended up the following order:

As you can see we had to play around to get this to work but the following bindings meant that both domains would point to the same web application.

You will notice that we have added in my.ourapp.com twice - one with SNI enabled and an IP address and the other without. SNI does not work with IE on Windows XP - we added the last option as a default, non-SNI binding so our main domain would always work, even on IE & XP.

Hope that helps someone.

这篇关于多个SSL域到一个Azure云服务站点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！