How exactly are SSL certificates configured? I read that having an asterisk before the domain name(*.example.com) means that all child nameservers are secured too but I do not have the option to add the asterisk on the website that I bought my domain name and SSL
I have a domain name (example.com) linked to an IP address. I then create a child nameserver for the same domain name (ns1.example.com) linked to a different IP address. When I access the main website, the request is secured but that's not the case for the child nameserver. Do I have to configure my SSL certificate to support child nameservers?
Related
I've a domain name, basecompany.com. My application is deployed on the server and the IP has been mapped with the domain name in GoDaddy domain registrar DNS settings. Also, it is https enabled using Letsencrypt which automatically refreshes my certificate after every 3 months.
Now, I purchase 5 more domains and just want to reroute those 5 domains to basecompany.com. Nothing else. These are just URLs with no application server. So, I used domain-forwarding service.
However these 5 domains are not https secured. How do I apply letsencrypt certificated within my DNS settings itself, or do I have to separately purchase a SSL certificate from them?
PS: I'm skipping my option to add the domain name in my webserver (nginx)
config file and then map the IP to my DNS of new domain names. I dont want this.
I just want to install the certificate and it should start working.
The server is behind a firewall and has a private IP and I need to get to the public IP of the domain that it is hosting...
I have several sites with several Host Name bindings and they all work fine over SSL (i.e. https://example.com), but I need to get to it just using the IP address (i.e. https://123.45.67.89) and I can't figure out how to do the bindings because it doesn't allow an IP address as the host name. Browsing to just the IP gives me a 'Connection Not Private' message.
a security certificate must be granted to a host name e.g. example.com
You cannot issue a certificate to an ip address.
When you browse via ip and the certificate is served up, it does not match the address you have entered and is correctly telling you that the certificate is not valid for the site you are wishing to view
The certificate provided by the server is probably not issued for the IP address and that's why it does not match the URL (with IP as target) you entered. You have to access the server with a name which matches the certificate which means that you need some DNS settings which map the name contained in the certificate to the external visible IP address and then you can access the server by its correct name. For testing you can do such mapping inside your local hosts file. But if the server should be visible from outside for others too you need to configure the public DNS for the domains served by the firewalled server so that the mapping to the public IP address is publicly visible.
Is it possible to add CNAME records/A records to point many domains to primary domain or IP Address, and keep them over https (ssl)?
Does a multi-domain SSL Cert allow this?
Thanks.
yes. As long as entered server name matches presented SSL certificate name -- SSL connection will authenticate server normally.
Scenario: Suppose www.test.com is a domain that exists and I want to handle requests for widgets.test.com on my webserver. I work with their administrator and adjust their DNS record to point widgets.test.com to an IP address on my webserver.
Question: If I want to handle https requests for that subdomain, do I purchase the SSL cert for widgets.test.com and install on my webserver? Or, does a cert have to be purchased for the top level domain and installed on the primary webserver?
It doesn't have to be purchased for the main domain, you can purchase an SSL cert for a specific subdomain. SSL certs are keyed to the exact domain that you specify, so if you purchase one for "https://*.mysite.com" that's a different cert than for "https://mysite.com".
If you want to get an SSL certificate that would cover both, you might want to look into purchasing something like a Wildcard SSL certificate.
AFAIK, SSL is assigned to a single domain name (maybe several subdomains via wildcard).
On the other hand i heard that the webserver does not see the domain before it serves the ssl?
If I have multiple domains running as vhosts on one IP address:
Q1: Can the webserver serve the appropriate respective SSL to the sites?
Q2: Is there a way to have only one multi-domain SSL serving two domains on one IP?
Illuminate me out of confusion brought upon me by this seemingly self-contradictory quote:
Regular SSL Certificates are issued for a single FQDN (Fully Qualified
Domain Name). The domain using the certificate has to have its own
unique external IP address from which to be served. In practice, this
means that if you have multiple domains on a single IP address/server,
then you had to install a separate certificate on each domain you
wanted to secure.
The reason for this is the use of 'Host-Headers'. They allow a
web server to use a single IP address to serve many separate sites
with different FQDNs. They do this by identifying the incoming request
for a webpage, and routing it to the correct site accordingly.
When an SSL connection is initiated, the server must send a
certificate to the client - before it knows the host-header of the
request. The only identifying piece of data it has is the requested IP
address. As such, two or more sites on one IP address cannot use
different SSL certificates....
Q1> the web server doesn't need to know the domains embedded in an SSL cert. only the browser does since it's the one making sure the domain in the certificate matches the domain in the address bar. The web server just serves up the cert bound to the ip address, regardless of what domain is in the certificate.
Q2> what you describe is a SAN or UC certificate. They are designed to do what you stated, namely allow multiple domains to share one cert on one ip address. Check out this link on Subject alternative names for more info