I have a valid wildcard ssl cert for our (internal) domain - *.stmn.company.local
I have a site that I want to use with this cert, let's say - https://server.stmn.company.local
In firefox/chrome, if I navigate to that FQDN url, it works fine, I do not get an invalid cert warning or security warning.
However, if I navigate to "server/" or "https://server/" or "http://server/" (the trailing slash is necessary to tell firefox/chrome that this is an internal site and to go directly to it, without searching) I get an error in firefox that my certificate is not valid.
server uses an invalid security certificate. The certificate is only valid for *.stmn.company.local (Error code: ssl_error_bad_cert_domain)
This is unexpected to me because my search domain is configured with stmn.company.local so in theory any dns name I don't fully qualify should have that appended onto it?
bryce-e#channel:~$cat /etc/resolv.conf
search stmn.company.local company.local
nameserver 10.99.42.30
nameserver 10.99.42.31
Am I misunderstanding how search domain works, or SSL certs?
The domain name that is typed in the browser must match. You need to make your site accessible at the same url internally and externally, or modify your certificates to include all the names that will be used.
If routing is problematic, use of 'split' dns might be helpful. With that you can have a domain name resolve to a different ip address internally vs externally.
It isn't sufficient to just have the name resolve to the right ip.
Related
I am trying to get an SSL certificate on my custom domain on Heroku and the last thing it told me to do is add the following records:
Domain Record Type DNS Target
─────────────────── ─────────── ─────────────────────────────────
www.gethomesync.com CNAME www.gethomesync.com.herokudns.com
gethomesync.com ALIAS/ANAME gethomesync.com.herokudns.com
But my domain registrar GoDaddy doesn't have an option to add ALIAS or ANAME. I don't know much about DNS having only done quite basic tasks as and when I've needed them, is there an equivalent to ALIAS/ANAME that I can use through GoDaddy?
Thanks
A warning here. As pointed by #NikitaAvvakumov and #deviant in some comments, the accepted answer is not correct.
As mentioned in Heroku docs,
Root domains on Heroku require the use of "CNAME-like" records, often referred to as ALIAS or ANAME records.
Without these records,
Requests to https://example.com will fail with an SSL error.
Again, even if you choose to redirect from your root domain to a subdomain (ex: from example.com to www.example.com), it will only work for non-SSL requests. Any request to https://example.com will fail with an SSL error.
A simple solution to that would be to use another DNS host. For example, I use CloudFlare (the free plan is more than enough and offers great features) which uses what is called CName flattening that works with Heroku like having an ALIAS (they use this by default - you don't have to do anything else than configuring your nameservers and adding DNS records. You can check both Heroku and CloudFlare for tutorials - it's pretty easy).
You don't need to set up ALIAS/A record, just create a CNAME record pointing to gethomesync.herokussl.com (you can check the endpoint name with heroku certs Heroku Documentation):
Type Name Value
CNAME www gethomesync.com.herokudns.com
To create a naked domain (removes the need to write www) you need to forward your gethomesync.com to wwww.gethomesync.com:
Under Forwarding click on Domain -> 'Manage' -> then click 'Add Forwarding'
'Forward to' should be wwww.gethomesync.com (your domain)
'Redirect type' should be '301
'Forward settings' should be 'Forward only'
We have a multi tenant application which works based on domain wildcard registration, now we would wanted to add SSL certificate to our application,
So I need to correct approach on how it should be used,
I know about godaddy Wildcard SSL with which you can define un-limited no of subdomain and apply this certificate, but in our case the subdomain are not physically specified we are identifying it with wildcard only, all subdomain are pointing to single domain/server only just application who understands and behaves accordingly.
Can someone guide me on this.
A wildcard certificate is signed for CN=*.example.com
That means a HTTPS client/browser will match the invoked DNS name with the wildcard, and as long as it's a level one subdomain, it will match. That is because the * is a special token in the common name (CN).
So foo.example.com and bar.example.com will match. foo.bar.example.com will, however, not.
As far as the certificate is concerned, you don't have to define a list of valid subdomains anywhere.
So your guess is right, simply buy a wildcard certificate from your CA of choice and your done.
I can't use my SSL certificate on subdomains because it is for the top level domain www.tld.com only. When I force it on a subdomain e.g. dev.tld.com I get a warning.
What I want to achieve is a development subdomain on the same shared hosting webspace where I can test under real conditions, especially concerning payment systems where an SSL connection is mostly mandatory.
My question is: Do I have to get an extra certificate or is it possible to just click the warning away and make use of https? Am I obliged to buy a certificate in order to use SSL technically? At least it seems to work once I've told my browser to trust the subdomain ...
The warning is telling you that the domain name listed in the certificate does not match the domain name you browsed to. You will still have an SSL connection. Since you are the one that configured the environment, you can ignore the warning.
Having said that, a wildcard SSL certificate is not much more expensive than one for a single domain (shop around!). I would suggest your next SSL certificate be for a wildcard domain (*.tld.com). That will avoid the issue of the warning entirely.
I've got a home server that sits behind a dynamic ip address. I use a free dynamic dns service (http://freedns.afraid.org/) so that I can access my server via the following (fake) hostname foo.example.com
I use bluehost to host a separate domain, mycompany.com, and used their DNS settings to set up a CNAME to route traffic for mycompany.com to foo.example.com
What i want to do now is throw an SSL cert into the mix. The problem is I don't know how to go about getting the cert. Some companys (godaddy) want me to associate a domain to the cert. I don't know if that's mycompany.com or foo.example.com. Even if i pick one, it seems like the browser would complain about a mismatch.
Any insight would be great.
If the website gets accessed as https://foo.example.com you need a certificate for foo.example.com. If it gets accessed as https://mycompany.com you need a certfificate for mycompany.com. If it needs to be accessed with both names (like if one side would redirect to the other) you need a certificate containing both names.
I have a certificate that is registered to the fully qualified domain name of a server on our intranet (webserver.domain.com). When our internal users hit this site via the fully qualified name, they go right in and aren't prompted that it's an invalid cert. If they browse to the web server via the hostname (non-fully qualified) they are redirected to the https version and no prompt is made there either. The part of my mod_rewrite that I'm missing is if someone connects to the web server via http's' with just the hostname. I can't seem to get that to rewrite to the FQDN. It doesn't rewrite and always prompts that the cert is invalid. Any help is appreciated. Thanks!
Here's an example of what I can't seem to match:
https://webserver/pubs/index.html
I need it to rewrite to:
https://webserver.domain.com/pubs/index.html
Unfortunately this isn't going to be possible - the prompt occurs when the connection is made, before mod_rewrite is involved.
If they OK the prompt, then you can rewrite to the FQDN.