Using SSL when browsing to an IP address - ssl

The server is behind a firewall and has a private IP and I need to get to the public IP of the domain that it is hosting...
I have several sites with several Host Name bindings and they all work fine over SSL (i.e. https://example.com), but I need to get to it just using the IP address (i.e. https://123.45.67.89) and I can't figure out how to do the bindings because it doesn't allow an IP address as the host name. Browsing to just the IP gives me a 'Connection Not Private' message.

a security certificate must be granted to a host name e.g. example.com
You cannot issue a certificate to an ip address.
When you browse via ip and the certificate is served up, it does not match the address you have entered and is correctly telling you that the certificate is not valid for the site you are wishing to view

The certificate provided by the server is probably not issued for the IP address and that's why it does not match the URL (with IP as target) you entered. You have to access the server with a name which matches the certificate which means that you need some DNS settings which map the name contained in the certificate to the external visible IP address and then you can access the server by its correct name. For testing you can do such mapping inside your local hosts file. But if the server should be visible from outside for others too you need to configure the public DNS for the domains served by the firewalled server so that the mapping to the public IP address is publicly visible.

Related

Cant access my website through its IP address

I have hosting with godaddy with a private IP address. I am able to access my websites and others via the domain name, but not via IP Address.
I am now trying to access the HTTP via port 80 but it gives an error that the website is not setup.
Are there any workarounds on turning allowing accessing the website and other folders through the IP address over http?
This sounds to me like you were on a managed webpack that grants you access to the to-be-served content but not to the webserver or its config itself.
What you are experiencing there is an effect of a technique called virtual-hosts in which multiple sites are tied to one IP address. For this to work in the realm of HTTP, the Host header got introduced in HTTP/1.1. It allows clients to send a domain name for which they want to receive content.
If you request a raw IP, though, the Host header won't look like Host: example.com but rather like Host: 123.45.67.89. The server will not be able to associate a domainname with this as it is unlikely to be found elsewhere in the request. Therefore, it will be forced to serve content out of its default document directory which usually contains further documentations regarding the further configuration of the webserver in question. Linux distributions like to add additional informations specific to them. Check if you see any mentioning of e.g. Debian, RedHat, or Centos.
I am not sure if this is fixable. Usually webservers like Apache support IP-based virtual hosts. If a masshoster like godaddy is really going to address this is uncertain. Try to contact their support and see.
1]If you are using host headers, make sure you have a DNS entry pointing your URL to your IP
2]Telnet port 80 from a machine outside your network.If it fails then check with your ISP that port 80 should not block in firewall.

Using HTTPS with a dynamic ip

My situation:
I want to run a webserver on a device in an unknown network. Requests on port 80 or 443 will be forwarded to this device from the global ip.
The device regularly posts its IP address to a server on the web and it is saved on this server.
Is it possible to access this device via https without much trouble?
The problem of course is, that the ip can change and a SSL certificate needs to have a hostname.
Edit: The device doesn't have a domain assigned to it that I could use for a certificate. Is it maybe possible to use a domain I own and reroute that to the dynamic ip without changing the header?
As far as I understand it that would make using https possible
The common wisdom of SSL certificates being associated with one IP address is misleading. An SSL certificate is issued for the domain name, not the IP address. The issue with IP addresses stems from the details of the HTTPS protocol, and namely just the issue of name resolution. An HTTP server can host many different sites for many different domains, all on the same port and IP address. It knows which site is being requested based on an HTTP header.
Now, with HTTPS, the server first needs to negotiate a secure SSL connection before any HTTP headers are exchanged. The issue therefore is that it can't know which certificate for which domain it's supposed to use to negotiate a secure connection, because it hasn't yet had a chance to talk to the client about the domain it'd like to visit.
There are actually mechanisms for name negotiation before encryption in later versions of the HTTPS protocol, but the practical problem is that older clients do not support it yet (stare at IE6).
So the practical solution is to reserve one IP address and/or port for each HTTPS site, because then there's no issue of multiple name resolutions. One IP/port is reserved for one specific HTTPS site and in extension for one SSL certificate.
Which means, as long as your server is only serving one HTTPS domain, its IP address can change as often as it wants; there's no issue there.
There is no problem with dynamic IP. In SSL certificate you store a static hostname (domain.com), no IP address.

SSL How to with dynamic dns

I've got a home server that sits behind a dynamic ip address. I use a free dynamic dns service (http://freedns.afraid.org/) so that I can access my server via the following (fake) hostname foo.example.com
I use bluehost to host a separate domain, mycompany.com, and used their DNS settings to set up a CNAME to route traffic for mycompany.com to foo.example.com
What i want to do now is throw an SSL cert into the mix. The problem is I don't know how to go about getting the cert. Some companys (godaddy) want me to associate a domain to the cert. I don't know if that's mycompany.com or foo.example.com. Even if i pick one, it seems like the browser would complain about a mismatch.
Any insight would be great.
If the website gets accessed as https://foo.example.com you need a certificate for foo.example.com. If it gets accessed as https://mycompany.com you need a certfificate for mycompany.com. If it needs to be accessed with both names (like if one side would redirect to the other) you need a certificate containing both names.

Multiple, remotely accessible dev sites on IIS 8 over SSL?

I am trying to configure a remote server to host two or more development sites. My current approach was:
Hostname: somedev.something.somethingelse.com
Desired site 1: dev1.somedev.something.somethingelse.com
Desired site 2: dev2.somedev.something.somethingelse.com
I modified my hosts file so that:
dev1 127.0.0.1
dev2 127.0.0.1
I created a wildcard SSL certificate for my domain, and configured the bindings to use that SSL certificate.
However, while on the box locally I can access my sites at the desired sites, how can I expose this such that I can browse remotely?
You will either need to use a public DNS server to point those DNS names to the server's public IP address, configure your existing DNS server to point those names to the IPs (if you have a DNS server), or modify the hosts file on the machines you want to access it to point those names to the server's IP address

ssl certificate for several domains, one IP

AFAIK, SSL is assigned to a single domain name (maybe several subdomains via wildcard).
On the other hand i heard that the webserver does not see the domain before it serves the ssl?
If I have multiple domains running as vhosts on one IP address:
Q1: Can the webserver serve the appropriate respective SSL to the sites?
Q2: Is there a way to have only one multi-domain SSL serving two domains on one IP?
Illuminate me out of confusion brought upon me by this seemingly self-contradictory quote:
Regular SSL Certificates are issued for a single FQDN (Fully Qualified
Domain Name). The domain using the certificate has to have its own
unique external IP address from which to be served. In practice, this
means that if you have multiple domains on a single IP address/server,
then you had to install a separate certificate on each domain you
wanted to secure.
The reason for this is the use of 'Host-Headers'. They allow a
web server to use a single IP address to serve many separate sites
with different FQDNs. They do this by identifying the incoming request
for a webpage, and routing it to the correct site accordingly.
When an SSL connection is initiated, the server must send a
certificate to the client - before it knows the host-header of the
request. The only identifying piece of data it has is the requested IP
address. As such, two or more sites on one IP address cannot use
different SSL certificates....
Q1> the web server doesn't need to know the domains embedded in an SSL cert. only the browser does since it's the one making sure the domain in the certificate matches the domain in the address bar. The web server just serves up the cert bound to the ip address, regardless of what domain is in the certificate.
Q2> what you describe is a SAN or UC certificate. They are designed to do what you stated, namely allow multiple domains to share one cert on one ip address. Check out this link on Subject alternative names for more info