我正在使用Microsoft.Web.Administration
(在Wix CustomAction中)配置服务器名称指示并绑定到IIS 8.5站点上的现有服务器证书。
事实证明,设置SNI会取消证书绑定。以下代码将使事情变得更加清晰:
using Microsoft.Web.Administration;
var binding = site.Bindings.FirstOrDefault(x => x.IsIPPortHostBinding && x.Host == sitename);
binding.CertificateHash = certificate.GetCertHash();
binding.CertificateStoreName = store.Name;
// this statement is causing the certificate info to get messed up.
binding["sslFlags"] = 1; // or binding.SetAttributeValue("sslFlags", 1);
结果:
binding["sslFlags"] = 1;
没有 binding["sslFlags"] = 1;
这是一个错误还是我错过了什么?如何才能使SNI和证书绑定一致?
答案 0 :(得分:2)
似乎Microsoft.Web.Administration v7.0是罪魁祸首。这是NuGet图库中的官方版本,它似乎主要用于IIS 7(我的意思是它适用于IIS 7和8中常见的功能,但7没有的任何内容都会产生如上所述的奇怪结果)。
使用IIS.Microsoft.Web.Adminstration(似乎是IIS 8.5的社区上传包)可行。得到了这个answer的提示。
更新代码:
binding.CertificateHash = certificate.GetCertHash();
binding.CertificateStoreName = store.Name;
binding.SslFlags = SslFlags.Sni; // <<< notice it has helpful enums
答案 1 :(得分:1)
这适用于我Microsoft.Web.Administration 7.0.0.0
:
public static void CreateSiteHttps(string siteName, string physicalPath)
{
using (var serverManager = new ServerManager())
{
var applicationPool = serverManager.ApplicationPools.Add(siteName);
applicationPool["startMode"] = "AlwaysRunning";
var x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
x509Store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);
var certificate = x509Store.Certificates.Find(X509FindType.FindBySubjectName, "MyCertSubjectName", false)[0];
var hash = certificate.GetCertHash();
var site = serverManager.Sites.Add(siteName, $"*:443:{siteName}", physicalPath, hash);
site.ServerAutoStart = true;
site.Bindings[0]["sslFlags"] = 1;
site.ApplicationDefaults.ApplicationPoolName = applicationPool.Name;
site.ApplicationDefaults.EnabledProtocols = "http,https";
serverManager.CommitChanges();
}
}
答案 2 :(得分:0)
启用SNI时将删除证书。您可以先获取证书,然后再启用SNI,然后再进行设置:
[global]
trusted-host = pypi.org
files.pythonhosted.org