SSL sites gives Common name Invalid - ssl

SSL Error when assessing by IP address
I have an IP address as 192.0.2.13. On nslookup, it shows the answer as example.com
Now on assessing the IP address https://192.0.2.13 itself it gives, SSL error as Common name invalid and but if I tries to access https://example.com, it loads fine. Also, I can see SAN configuration as
DNS name : example.com
DNS name : examplem.com
Now, I want to know should I need to add IP address to SAN config as well?

Related

Bitnami on Google Cloud Platform enabling SSL Issue: Please fix DNS entries while enabling SSL

I am using the bitnami django on Google Cloud platform stack.
Goal: I want SSL configured on my bitnami stack hosted on Google Cloud. But their toolsudo ./bncert-tool complains "The domain resolves to a different IP address than the one detected for this machine. Please fix its DNS entries or remove it.
I have purchased a domain using google domains.
I have set up google dns to point to the IP address as I see in the bitnami stack. I have enabled mydomain.com and www.mydomain.com to forward to the cloud server ipaddress/home in Google domain name settings
I then tried to run the tool /opt/bitnami/bncert-tool:
sudo /opt/bitnami/bncert-tool
Welcome to the Bitnami HTTPS Configuration tool.
Domains
Please provide a valid space-separated list of domains for which you wish to
configure your web server.
Domain list []: mydomain.com
The following domains were not included: www.mydomain.com. Do you want to add them? [Y/n]: n
Warning: No www domains (e.g. www.example.com) or non-www domains (e.g.
www.example.com) have been provided, so the following redirections will be
disabled: non-www to www, www to non-www.
Press [Enter] to continue:
Warning: The domain 'mydomain.com' resolves to a different IP address than the
one detected for this machine, which is 'aa.bb.ccc.dddd'. Please fix its DNS
entries or remove it. For more info see:
https://docs.bitnami.com/general/faq/configuration/configure-custom-domain/
Press [Enter] to continue:
MY QUESTION:
How do I resolve this? I even tried adding both domains
mydomain.com www.mydomain.com
I want SSL enabled for mydomain.com and www.mydomain.com and not sure where I am going wrong?
Secondy, after the link forwards, how to associate my domain name so that the static IP doesn't keep displaying instead it shows the mapped domain mydomain.com/home
thanks
Suds
$nslookup mydomain
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: mydomain.com
Address: 216.239.32.21
Name: mydomain.com
Address: 216.239.34.21
Name: mydomain.com
Address: 216.239.36.21
Name: mydomain.com
Address: 216.239.38.21
$ nslookup www.mydomain.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
www.mydomain.com canonical name = ghs.googlehosted.com.
Name: ghs.googlehosted.com
Address: 172.217.26.179
$ dig +short NS mydomain.com ns-cloud-b1.googledomains.com.
ns-cloud-b2.googledomains.com. ns-cloud-b3.googledomains.com.
ns-cloud-b4.googledomains.com.
$ dig +short NS www.mydomain.com ghs.googlehosted.com.
You may need to change certain settings such as the domain name settings. If using Google Domains, the forwards actually don't integrate the A + Cname to one static IP. I had to physically create A and CName records.
This solved the first issue: What is interesting is one of my domains: mydomain.com is pointing multiple IP address whereas the other is point to different IP depending upon the DNS Server. This was also the one contributing to the error I used to get
when I ran sudo ./bncert-tool "The domain 'mydomain.com' resolves to a different IP address than the one detected for this machine, which is 'aa.bb.ccc.ddd'. Please fix its DNS entries or remove it.
I think physically forced the HTTPS redirection in web server settings. using this rule
/opt/bitnami/apache2/conf/bitnami/bitnami.conf,
Changed RewriteRule ^/(.*) https://example.com/$1 [R,L]
Then I still had some problems where the first hit the URLs will load, the next hit I would 404 errors.
I realized this was an issue with project level settings
opt/bitnami/apps/django/django_projects/Project/conf
sudo vi httpd-app.conf
WSGIScriptAlias /PROJECT '/opt/bitnami/apps/django/django_projects/PROJECT/PROJECT/wsgi.py'
to
WSGIScriptAlias / '/opt/bitnami/apps/django/django_projects/myproject/myproject/wsgi.py'
Then was the issue with ALLOWED HOSTS in settings.py:
Ensure the right ALLOWED HOSTS is updated, the project root or your application root, depending upon where you serve from.
/opt/bitnami/apps/django/django_projects/Project/Project
updated the settings in py here...
ALLOWED_HOSTS in settings.py

Redirect IP to domain issue

I have following domain name air8kissen.de. When I type in that domain name in browser it gets redirected to its IP address 178.128.117.168. The problem is that I setup SSL for domain name and since IP dont have SSL it shows the warning sign. When I accept to risk visiting the website, it redirects me to my domain name.
I have setup all necessary CNAME and A records inside Digitalocean domain setup and have no idea why it shows the IP address first time I visit to domain.
What should I do to fix this?
Cheers
This is not a DNS or SSL issue, You need to setup the Virtual Host for your domain at your webserver, and check any redirection rules placed at your webserver level.

Apache SSL certificate placed in correct dir but SSL cert invalid in browser

This is more of a clarification question because I didn't know what to Google in order to find an answer.
I generated a csr for my website domains and ordered the certificate from Digicert. Followed the instructions to place it in the correct directory. apachectl configtest prints no warnings or errors. I ran the Django sever and it runs fine on 8080.
Problem: I purchased the certificate for my website domain, i.e., something like www.example.com not an IP address. At the moment my website is based on an AWS EC2 instance and I am accessing it via the IP address.
When I visit the website via the IP address, the area on the address bar where we can see the status of an SSL cert shows up in red with a strikethrough on the https. My understanding is that it is because the certificate is only for the domain and not the IP address? Can someone please explain how SSL certificates link to the website name? Does the browser go looking into the proper apache directory and then match it with the thing in its address bar? How does it all work?

Using SSL when browsing to an IP address

The server is behind a firewall and has a private IP and I need to get to the public IP of the domain that it is hosting...
I have several sites with several Host Name bindings and they all work fine over SSL (i.e. https://example.com), but I need to get to it just using the IP address (i.e. https://123.45.67.89) and I can't figure out how to do the bindings because it doesn't allow an IP address as the host name. Browsing to just the IP gives me a 'Connection Not Private' message.
a security certificate must be granted to a host name e.g. example.com
You cannot issue a certificate to an ip address.
When you browse via ip and the certificate is served up, it does not match the address you have entered and is correctly telling you that the certificate is not valid for the site you are wishing to view
The certificate provided by the server is probably not issued for the IP address and that's why it does not match the URL (with IP as target) you entered. You have to access the server with a name which matches the certificate which means that you need some DNS settings which map the name contained in the certificate to the external visible IP address and then you can access the server by its correct name. For testing you can do such mapping inside your local hosts file. But if the server should be visible from outside for others too you need to configure the public DNS for the domains served by the firewalled server so that the mapping to the public IP address is publicly visible.

SSL at the root domain on heroku

I've got a website with an SSL certificate for the root domain only - example.com.au
The site runs on heroku with the dns at dnsimple.com
I want all requests to www.example.com.au to go to the canonical url, ie to example.com.au and obviously this redirection needs to be set up at the dns level so that the user doesn't get stopped with an "insecure" message.
What should i put in my DNS?
I want all requests to www.example.com.au to go to the canonical url, ie to example.com.au and obviously this redirection needs to be set up at the dns level so that the user doesn't get stopped with an "insecure" message.
In short: This is not possible, because aliases at DNS level will not change the hostname.
In detail:
If the user types in www.example.com the client (i.e. the browser) will lookup the IP for this host and it will follow any DNS aliases (like a CNAME pointing to example.com) during this process. But, following DNS aliases will not cause redirects inside the browser. Instead the name in the URL will stay the same and so will be the name used to verify the certificate.
This means there is no way to do what you want at the DNS level. If you want to redirect from https://www.example.com to https://example.com you must have a certificate matching www.example.com.