Yesterday I drinked 200 gr. of Vodka yesterday Night, it was pretty refreshing for me but I got drunk a little.I'm smoking again … Things are going bad in my life recently. I have health issues. And I intend to go to doctor today.Yesterday I went to the polyclinic but my personal Dr. Nikolay was not there (I was angry, I went to doctor once in years and he is not there) so I'll try again today. I had pains somewhere around the stomach. At least at work things are going smoothly at least God hears my prayers about this. I'm very confused and I have completely no idea what to do with my life. Yesterday I was out with Lily and Kiril on the fountain. The previous day Nomen, I, Yavor, Kiro and Bino went to the "Kobaklyka" (a woody place which is close to Dobrich.) Well that's most of what's happening lately with my life. I wrote a little script to make that nautilus to get restarted if it starts burning the cpu. It's a dumb script (the bad thing is that I'm loosing form scripting, Well I don't script much lately). Here is the script http://pcfreak.d-bg.net/bshscr/restart_nautilus.sh https://www.pc-freak.net/bshscr/restart_nautilus.sh. The days before the 4 days weekend, I hat to spend a lot of time on one of the servers fighting with Spammers. Hate spammers really! I ended removing bounce messages at all for one of the domains, which fixed the bounce spam method spammers use (btw qmail's chkuser seems to not work properly for some reason) … Also I started watching Stargate – SG1. First I thought it's a stupid sci-fi serial. But after the first serie I now think it has it's good moments :]. Also I had something like a Mortification Day going on during Monday. The whole day I listened to Mortification (The first Christian Death Metal Band). I Liked much the "Hammer of God" album. In the evening Sabin (Bino) came home and we watched some Mortification videos at Youtube. Right now I listen again to "Ever – Idyll" a pretty great song. And yeah I keep listening to ChristianIndustrial.net a lot, a great radio. Try it if you haven't!END—–
How to redirect / forward all postfix emails to one external email address?
October 29th, 2020
Lets say you're a sysadmin doing email migration of a Clustered SMTP and due to that you want to capture for a while all incoming email traffic and redirect it (forward it) towards another single mailbox, where you can review the mail traffic that is flowing for a few hours and analyze it more deeper. This aproach is useful if you have a small or middle sized mail servers and won't be so useful on a mail server that handels few hundreds of mails hourly. In below article I'll show you how.
How to redirect all postfix mail for a specific domain to single external email address?
There are different ways but if you don't want to just intercept the traffic and a create a copy of email traffic using the always_bcc integrated postfix option (as pointed in my previous article postfix copy every email to a central mailbox). You can do a copy of email flow via some custom written dispatcher script set to be run by the MTA on each mail arriva, or use maildrop filtering functionality below is very simple example with maildrop in case if you want to filter out and deliver to external email address only email targetted to specific domain.
If you use maildrop as local delivery agent to copy email targetted to specifidc domain to another defined email use rule like:
if ( /^From:.*domain\.com/:h ) {
cc "!someothermail@domain2.com"
}
To use maildrop to just forward email incoming from a specific sender towards local existing email address on the postfix to an external email address use something like:
if ( /^From: .*linus@mail.example.com.*/ )
{
dotlock "forward.lock" {
log "Forward mail"
to "|/usr/sbin/sendmail linuxbox@collector.example.com"
}
}
Then to make the filter active assuming the user has a physical unix mailbox, paste above to local user's $HOME/.mailfilter.
What to do if your mail delivered via your Email-Server.com are sent from a monitoring and alarming scripts that are sending towards many mailboxes that no longer exist after the migration?
To achive capturing all normal attempted to be sent traffic via the mail server, we can forward all served mails towards a single external mail address you can use the nice capability of postfix to understand PCRE perl compatible regular expressions. Regular expressions in postfix of course has its specific I recommend you take a look to the postfix regexp table documentation here, as well as check the Postfix Regex / Tester / Debugger online tool – useful to validate a regexp you want to implement.
How to use postfix regular expression to do a redirect of all sent emails via your postfix mail relayhost towards external mail servers?
In main.cf /etc/postfix/main.cf include this line near bottom or as a last line:
virtual_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual-regexp
One defines the virtual file which can be used to define any of your virtual domains you want to simulate as present on the local postfix, the regexp: does load the file which is read by postfix where you can type the regular expression applied to every incoming email via SMTP port 25 or encrypted MTA ports 385 / 995 etc.
So how to redirect all postfix mail to one external email address for later analysis?
Create file /etc/postfix/virtual-regexp
/.+@.+/ external-forward-email@gmail.com
Next build the mapfile (this will generate /etc/postfix/virtual-regexp.db )
# postmap /etc/postfix/virtual-regexp
This also requires a virtual.db to exist. If it doesn't create an empty file called virtual and run again postmap postfix .db generator
# touch /etc/postfix/virtual && postmap /etc/postfix/virtual
Note in /etc/postfix/virtual you can add your postfix mail domains for which you want the MTA to accept mail as a local mail.
In case you need to view all postfix defined virtual domains configured to accept mail locally on the mail server.
$ postconf -n | grep virtual
virtual_alias_domains = mydomain.com myanotherdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual
The regexp /.+@.+/ external-forward-email@gmail.com applied will start forwarding mails immediately after you reload the MTA with:
# systemctl restart postfix
If you want to exclude target mail domains to not be captured by above regexp, in /etc/postfix/virtual-regexp place:
/.+@exclude-domain1.com/ @exclude-domain1.com
/.+@exclude-domain2.com/ @exclude-domain2.com
Time for a test. Send a test email
Next step is to Test it mail forwarding works as expected
# echo -e "Tseting body" | mail -s "testing subject" -r "testing@test.com" whatevertest-user@mail-recipient-domain.com
Postfix copy every email to a central mailbox (send a copy of every mail sent via mail server to a given email)
October 28th, 2020
Say you need to do a mail server migration, where you have a local configured Postfix on a number of Linux hosts named:
Linux-host1
Linux-host2
Linux-host3
etc.
all configured to send email via old Email send host (MailServerHostOld.com) in each linux box's postfix configuration's /etc/postfix/main.cf.
Now due to some infrastructure change in the topology of network or anything else, you need to relay Mails sent via another asumably properly configured Linux host relay (MailServerNewHost.com).
Usually such a migrations has always a risk that some of the old sent emails originating from local running scripts on Linux-host1, Linux-Host2 … or some application or anything else set to send via them might not properly deliver emails to some external Internet based Mailboxes via the new relayhost MailServerNewHost.com.
E.g. in /etc/postfix/main.cf Linux-Host* machines, you have below config after the migration:
relayhost = [MailServerNewHost.com]
Lets say that you want to make sure, that you don't end up with lost emails as you can't be sure whether the new email server will deliver correctly to the old repicient emails. What to do then?
To make sure will not end up in undelivered state and get lost forever after a week or so (depending on the mail queue configuration retention period made on Linux sent MTAs and mailrelay MailServerNewHost.com, it is a very good approach to temprorary set all email communication that will be sent via MailServerNewHost.com a BCC emaills (A Blind Carbon Copy) of each sent mail via relay that is set on your local configured Postfix-es on Linux-Host*.
In postfix to achieve that it is very easy all you have to do is set on your MailServerNewHost.com a postfix config variable always_bcc smartly included by postfix Mail Transfer Agent developers for cases exactly like this.
To forward all passed emails via the mail server just place in the end of /etc/postfix/mail.conf after login via ssh on MailServerNewHost.com
always_bcc=All-Emails@your-diresired-redirect-email-address.com
Now all left is to reload the postfix to force the new configuration to get loaded on systemd based hosts as it is usually today do:
# systemctl reload postfix
Finally to make sure all works as expected and mail is sent do from do a testing via local MTAs.
Linux-Host:~# echo -e "Testing body" | mail -s "testing subject" -r "testing@test.com" georgi.stoyanov@remote-user-email-whatever-address.com
Linux-Host:~# echo -e "Testing body" | mail -s "testing subject" -r "testing@test.com" georgi.stoyanov@sample-destination-address.com
As you can see I'm using the -r to simulate a sender address, this is a feature of mailx and is not available on older Linux Os hosts that are bundled with mail only command.
Now go to and open the All-Emails@your-diresired-redirect-email-address.com in Outlook (if it is M$ Office 365 MX Shared mailbox), Thunderbird or whatever email fetching software that supports POP3 or IMAP (in case if you configured the common all email mailbox to be on some other Postfix / Sendmail / Qmail MTA). and check whether you started receiving a lot of emails 🙂
That's all folks enjoy ! 🙂
Saint Markianos and Martyrios a church reader and sub-deacon holy martyrs for Christ – The feast of Sub-deacons
October 25th, 2020
Saint Markianos (Saint Markian) and Martyrios are little known saints in the Western realm and there is too little of information in English about this two early martyrs who lived circa year 340. What is special about them is that besides being a strong confessors of the True Eastern Orthodox faith, they served in the Church as simple 'reader' and 'sub-deacon'. This two designations were very much respected in the early Church as sub-deacons were usually the ones who have served in the Church inseparable as a Church service helpers to the patriarchs or some high clergy as Metropolitans and Bishops. We have many saints in the Church that are from a simple warriors as Saint Georg and Saint Dimitrios the Wonderworker (The MyrhBringer) to monks, bishops, patriarchs and pretty much all kind of people from the society from the begger to the richest and most famous kings and queens. However it is rare to meet in the ( Act of the Martyrs – latin: Acta Martyrum), to find canonized saints that were in the lowest step in Church hierarchy as a simple 'psalm' and holy writtings reader or a sub-deacon. A Sub-deacon for those who don't know is a pearon that is a like a servant helper to the priest or bishop) that has been responsible for helping with the Church service and resolution of material and administrative needs of the christian community.
Usually in the Eastern Orthodox Church, the church reader or sub-deacons were and asre still called hipodeacon or "ipodiakon" in Greek / Slavonic church language), they didn't have the right at that early ages of christianity to publicly teach on faith matters or do apologetics (defendings of faith), however this 2 saintly man Markianos and Martyrios seem to have been a burning with the power of the spirit of God in their heart and the situation they were put in when the Church was under persecution and the patriarch Paul of Constantinople I (was patriarch from 340 ~ 350 AD). Saint Paul removed from his Church headship sent to Exile in Armenia and some time after drawned. He is commemorated in the Church on 6th of November. Hence considering situation St. Markian and Martyrius had to either defend and die for the faith or be scared and run away far in the caves or distant places of the empire such as villages on the outskits far away from the center city Rome …
The Heresy of Arius has been the most modern and the new modified faith claiming Christianity gathering followers in a viral way, and due to that the Arians have been in position where most of the public authorities in the Roman empire has been on their side against the Orthodox Christians.
Due to that in the church communities in near and distant lands of empire, the Arians were fiercely persecuting the Orthodox, and for a time even Emperor Saint Constantine The Great were deceived by their hypocrisy. It was terrible times for true confessors of faith. But not only Arians were persecuting Christians, as paganism were still deeply rooted in many of the lands and the Edict of Mediolan who gave equal rights to the religion in AD 313 was not strictly followed and senators of Roman regions with Paganist beliefs, were also harshly raising persucutions against their enemies the Christians who according to them are destroying the ancient culture and beautfy of paganism, not venerating the old pagan gods and against the wicked debauchery customs who were followed by pagans in 3rd / 4th century.
Practically everyone who have admitted publicly Jesus Christ as a Creator of the World and a Son of God one hipostasys of the Holy Trinity God The Father, The Son and the Holy Spirit, were captured put to prison and quickly executed, if they don't turn out from their christian beliefs.
Arians has taken a lead even more with the set on the throne of Emperor Constantius II the son of Constantine I-st, as he has also fallen in the Arianism* heresy and who has taken in the court as a close advisory Eusebius and Philip who due to their half-pagan half-arian half superstitious understanding of the world have led a fierce war against Christianity and did a lot of evils to Christ Church.
* Arianism – believes that Jesus Christ is the Son of God, who was begotten by God the Father, and is distinct from the Father (therefore subordinate to him), but the Son is also God the Son but not co-eternal with God the Father. Arian theology was first attributed to Arius (c. AD 256–336), a Christian presbyter in Alexandria of Egypt.
saint-Markian-and-Saint-Martirios-cleargymen-church-martyrs-3rd-century.jpg
Until dethronment of Patriarch Paul I, St. Markianos and St. Martyrios have been a notaries of St. Paul (a typist to the patriarch and a kind of personal secretaries of the Patriarch) besides serving as Church reader and sub-deacon. They were famous for their time with their warm preaching of the Words of God – the Gospel of the Christ following the example of the apostles. Due to the raising heresies they also take an active part in writting many documents against the heretical "arians" and so called "macedonians" who teached anti-christian teachings who were newly invented and unknown to the ancient church teachings. They've had a special gift from God to be able to speak in a way to defend the faith so noone with his knowledge or high-education couldn't stand overcome them in disputes on church matters and many times they have disputed with Arian heretics exposing their fallacy (delusions) putting them to shame.
After the exile of Patriarch Paul heresy-archs arians turned their poisonous hatred against the patriarch two pupils Markianos and Martyrios. Craftly acting they acted slyly with a craftul lie and promised them a lot of gold a good place in the emperor's court, to raise them in the church hierarcy (in the part of the church which was already confessing arian heresy) and give them a lot of privileges from the king with the condition to accept, support and confess arianism.
But God's servents despised everything from this world, rejected the offered golden gifts, preferred eternal Heavenly honors than short and vain worldly and even laughed at them.
As Arians saw nothing can't convince them to their malice teaching, heretics condemned them to death, which was desired by the confessors (which remembered well the exile and the manly martyrdom of their teacher St. Patriarch Paul) and with all their being desired to be with Christ in the Eternal prepared palaces, where life will be without end in never ending bliss as promised by Christ in the Holy Scriptures. They preferred Christ more than the temporary life enjoyments.
When brought to the place of the execution of their false made accusement and sentence for being blasphemers of Christ, two saints asked for a small time
to pray. Brough up their eyes to the heaven and prayed with the words:
" – Oh Lord, who have unseenly created our hearts, who arrange all our deeds – "He formed the hearts of them all; he understands everything they do." (Psalm 33:15), receive with peace the souls of your servents, because we're mortified for your name – "Yet for Your sake we are killed all day long; We are accounted as sheep for the slaughter." (Psalm 44:22). We're joyful that you give us such a death, we depart from this life because of your name. Let us to participate in the eternal life in You, the source and giver of life."
Praying with this words, they bowed their holy heads and under sword and was killed by beheading by the unfortunate arians because of their confession of the divinity of Christ as true uncreated Son of God who existed before all ages before the creation of the world as we Christians believe to this date.
Some of the Christians took their holy relics and buried them outside the Melandissia Gate of the Constantinople. Later Saint John of Chrysostom built a church in their name over the place of their miracle-working relics. There the sick for many ages received divine healings of different incurable diseases by the prayers of the holy martyrs of God, Praised in Trinity in all ages.
By the prayers of your Holy Martyrs St. Markianos and Martyrios Lord Jesus Christ have mercy on us !
Set Domain multiple alias (Aliases) in IIS on Windows server howto
October 24th, 2020
On Linux as mentioned in my previous article it is pretty easy to use the VirtualHost Apache directive etc. to create ServerName and ServerAlias but on IIS Domain multiple alias add too me a while to google.
<VirtualHost *>
ServerName whatevever-server-host.com
ServerAlias www.whatever-server-host.com whatever-server-host.com
</VirtualHost>
In click and pray environments as Winblows, sometimes something rather easy to be done can be really annoying if you are not sure what to do and where to click and you have not passed some of the many cryptic microsoft offered ceritification programs offer for professional sysadmins, I'll name a few of them as to introduce UNIX guys like me to what you might ask a M$ admin during an interview if you want to check his 31337 Windows Sk!lls 🙂
- Microsoft Certified Professional (MCP)
- Microsoft Technology Associate (MTA) –
- Microsoft Certified Solutions Expert (MCSE)-
- Microsoft Specialist (MS) etc. –
A full list of Microsoft Certifed Professsional program here.
Ok enough of balling.
Here is how to create a domain alias in IIS on Windows server.
Login to your server and click on the START button then ‘Run’¦’, and then type ‘inetmgr.exe’.
Certainly you can go and click trough the Administrative tools section to start ISS manager, but for me this is fastest and easiest way.
Now expand the (local computer), then ‘Web Sites’ and locate the site for which you want to add alias (here it is called additional web site identification).
Right click on the domain and choose ‘Properties’ option at the bottom.
This will open the properties window where you have to choose ‘Web Site’ and then to locate ‘Website identification‘ section. Click on the ‘Advanced’¦’ button which stands next to the IP of the domain.
Advanced Web site identification window (Microsoft likes to see the word ‘Advanced’ in all of the management menus) will be opened, where we are going to add a new domain alias.
Click on the ‘Add’¦’ button and ‘Add/Edit website (alias)identification’ window will appear.
Make sure that you will choose the same IP address from the dropdown menu, then set the port number on which your web server is running (the default is 80), write the domain you want, and click ‘OK’ to create the new domain alias.
Actually click ‘OK’ until you have ‘Advanced Web site identification’ and the domain properties windows closed.
Right click on the domain again and ‘Stop’ and ‘Start’ the service.
This will be enough the IIS domain alias to start working.
Another useful thing for novice IIS admins that come from UNIX is a domain1 to domain2 redirect, this is done with writting an IIS rule which is an interesting but long topic for a limited post as like this, but just for the reference of fun to let you know this exist.
Domain 1 to Domain 2 Redirect
This rule comes handy when you change the name of your site or may be when you need to catch and alias and direct it to your main site. If the new and the old URLs share some elements, then you could just use this rule to have the matching pattern together with the redirect target being
That's all folks, if you enjoyed the clicking laziness you're ready to retrain yourself to become a successful lazy Windows admin who calls Microsoft Support everyday as many of the errors and problems Windows sysadmins experience as I heard from a friend can only be managed by M$ Support (if they can be managed at all).
Yes that's it the great and wonderful life of the avarage sysadmin. Long live computing … it's great! Everyday something broken needs to get fixed everyday something to rethink / relearn / reupdate and restructure or migrate a never ending story of weirdness.
A remark to make, the idea for this post is originated based on a task I had to do long time ago on IIS, the images and the description behind them are taking from a post originally written on Domain Aliasing in IIS originally written by Anthony Gee unfortunately his blog is not available anymore so credits goes to him.
How to restart Microsoft IIS with command via Windows command line
August 19th, 2011
I'm tuning a Windows 2003 for better performance and securing it against DoS of service attacks. After applying all the changes I needed to restart the WebServer for the new configurations to take effect.
As I'm not a GUI kind of guy I found it handy there is a fast command to restart the Microsoft Internet Information Server. The command to restart IIS is:
c:> iisreset
Start Stop Restart Microsoft IIS Webserver from command line and GUI
April 17th, 2014
For a decomissioning project just recently I had the task to stop Microsoft IIS on Windows Server system.
If you have been into security for a while you know well how many vulnerabilities Microsoft (Internet Information Server) Webserver used to be. Nowadays things with IIS are better but anyways it is better not to use it if possible …
Nomatter what the rason if you need to make IIS stop serving web pages here is how to do it via command line:
At Windows Command Prompt, type:
net stop WAS
If the command returns error message to stop it type:
net stop W3SVC
Just in case you have to start it again run:
net start W3SVC
For those who prefer to do it from GUI interface, launch services.msc command from Windows Run:
> services.msc
In list of services lookup for
IIS Admin Service and HTTP SSL
a) (Click over it with right mouse button -> Properties)
b) Set Startup type to Manual
c) Click Stop Button
You're done now IIS is stopped to make sure it is stopped you can run from cmd.exe:
telnet localhost 80
when not working you should get 'Could not open connection to the host. on port 80: Connection failed' like shown up in screenshot.
How to check Microsoft IIS webserver version
July 21st, 2014
If you have to tune some weirdly behaviour Microsoft IIS (Internet Information Services) webserver, the first thing to do is to collect information about the system you're dealing with – get version of installed Windows and check what kind of IIS version is running on the Windows server?
To get the version of installed Windows on the system you just logged in, the quickest way I use is:
Start -> My Computer (right mouse button) Properties
Run regedit from cmd.exe and go and check value of registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftInetStp\VersionString
As you can see in screenshot in this particular case it is IIS version 6.0.
An alternative way to check the IIS version in some cases (if IIS version return is not disabled) is to telnet to webserver:
telnet your-webserver 80
Once connected Send:
HEAD / HTTP/1.0
Also on some Windows versions it is possible to check IIS webserver version from Internet Information Services Management Cosnole:
To check IIS version from IIS Manager:
Start (button) -> Control Panel -> Administrative Tools -> "Internet Information Services" IIS Manager
From IIS Manager go to:
Help -> About Microsoft Management Console
Here is a list with most common IIS version output you will get depending on the version of Windows server:
Windows NT 3.51 1.0
Windows NT 4 2.0-4.0
Windows Server 2000 5.0
Windows XP Professional 5.1
Windows Server 2003 6.0
Windows Vista 7.0
Windows Server 2008 7.0
Windows Server 2008 R2 7.5
Windows 7 7.5
Windows Server 2012 8.0
Windows 8 8.0
Windows Server 2012 R2 8.5
Windows 8.1 8.5
If you have only an upload FTP access to a Folder served by IIS Webserver – i.e. no access to the Win server running IIS, you can also grasp the IIS version with following .ASP code:
<%
response.write(Request.ServerVariables("SERVER_SOFTWARE"))
%>
Save the file as anyfile.asp somewhere in IIS docroot and invoke it in browser.
How to convert .CRT SSL Certificate to .PFX format (with openssl Linux command) and Import newly generated .PFX to Windows IIS Webserver
September 27th, 2016
1. Converting to .CRT to.PFX file format with OpenSSL tool on GNU / Linux to import in Windows (for example, IIS)
Assuming you have generated already a certificate using the openssl Linux command and you have issued the .CRT SSL Certificate issuer file
and you need to have the new .CRT SSL Certificate installed on Windows Server (lets say on Windows 2012) with IIS Webserver version 8.5, you will need a way to convert the .CRT file to .PFX, there is plenty of ways to do that including using online Web Site SSL Certificate converter or use a stand alone program on the Windows server or even use a simple perl / python / ruby script to do the conversion but anyways the best approach will be to convert the new .CRT file to IIS supported binary Certificate format .PFX on the same (Linux certificate issuer host where you have first generated the certificate issuer request .KEY (private key file used with third party certificate issuer such as Godaddy or Hostgator to receive the .CRT / PEM file).
Here is how to generate the .PFX file based on the .CRT file for an Internal SSL Certfiicate:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx
On the password prompt to appear use any password because otherwise the future IIS Webserver certificate import will not work.
To do a certificate chain SSL export to be accessed from the internet.
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx -certfile internet v2.crt
2. Import the PFX file in Windows
Run: mmc, add snap, Certificates, Computer account, Local Computer; in the
Console:
Certificates (Local Computer) > Personal > Certificates: Select All Tasks > Import File
Enter previously chosen password.
You should get further the Message "Import was successful."
You can import the PFX file by simply copying it to the server where you want it imported and double click it this will open Windows Importwizzard.
Then select the IIS:
Site, Properties, Directory Security, Server Certificate, Replace the current certficate, select proper Certificate. Done.
Alternatively to complete the IIS Webserver certificate import within one step when a new certificate is to be imported:
In IIS Manager interface go to :
Site, Properties, Directory Security, Server Certificate, Server Certificate Wizard
Click on
Next
Choose
import a certificate from a .pfx file, select and enter password.
3. Import the PFX file into a Java keystore
Another thing you might need if you have the IIS Webserver using a backend Java Virtual Machine on the same or a different Windows server is to import the newly generated .PFX file within the Java VM keystore.
To import with keytool command for Java 1.6 type:
keytool -importkeystore -deststorepass your_pass_here -destkeypass changeit -destkeystore keystore.jks -srckeystore server.pfx -srcstoretype PKCS12 -srcstorepass 1234 -srcalias 1 -destalias xyz
Also the .CRT file could be directly imported into the Java keystore
Import a .crt in a Java keystore
/usr/java/jre/bin/keytool -import -keystore /webdienste/java/jdk/jre/lib/security/cacerts -file certificate.crt -alias Some alias
4. Get a list of Windows locally installed certificates
To manager installed certificates on Windows 7 / 8 / 2012 Server OS is to run command via
Start -> Run
certmgr.msc
One other way to see the installed certificates on your Windows server is checking within
Internet Explorer
Go to Tools (Alt+X) → Internet Options → Content → Certificates.
To get a a complete list of installed Certificate Chain on Windows you can use PowerShell
Get-ChildItem -Recurse Cert:
That's all folks ! 🙂
Use multiple certificates using one IP address (same IP address) on IIS Windows web server
October 24th, 2020
If you had to administer some Windows webservers based on IIS and you're coming from the Linux realm, it would be really confusing on how you can use a single IP address to have binded multiple domain certificates.
For those who have done it on linux, they know Apache and other webservers in recent versions support the configuration Directive of a Wildcard instead of IP through the SNI extension capble to capture in the header of the incoming SSL connection the exact domain and match it correctly against the domain with the respective certificate. Below is what I mean, lets say you have a website called yourdomain.com and you want this domain to be pointing to another location for example to yourdomain1.com
For example in Apache Webserver this is easily done by defining 2 separate virtualhost configuration files similar to below:
/etc/apache2/sites-available/yourdomain.com
<Virtualhost *>
…
Servername yourdomain.com
ServerAlias www.yourdomain.com
….SSLCertificateFile /etc/letsencrypt/live/yourdomain1.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain1.com/privkey.pem
</VirtualHost>
/etc/apache2/sites-available/yourdomain1.com
<Virtualhost *>
…
Servername yourdomain1.com
ServerAlias yourdomain1.com
…
SSLCertificateFile /etc/letsencrypt/live/yourdomain1.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain1.com/privkey.pem
</VirtualHost>
Unfortunately for those who still run legacy Windows servers with IIS version 7 / 7.5 your only option is to use separate IP addresses (or ports, but not really acceptable for public facing sites) and to bind each site with it's SSL certificate to that IP address.
IIS ver. 8+ supports the Server Name Indication extension of TLS which will allow you to bind multiple SSL sites to the same IP address/port based on the host name. It will be transparent and the binding will work the same as with non-HTTPS sites.
In Microsoft IIS Webserver to configure, it is not possible to simply edit some configurations but you have to do it the clicking way as usually happen in Windows. thus you will need to have generated the Domain Certificate requests and so on and then you can simply do as pointed in below screenshots.
No Comments »