I don't quite understand SSL certs. I have a website, www.contoso.com , from WIX, and then I have a subdomain, book.contoso.com , as an Azure web app.
I want to make the subdomain secured, and I was going to purchase an SSL cert from Azure. I was thinking that I might change the subdomain later, as in the "book." part. I was thinking that I might even make the subdomain my main website, as in point the "www." towards the Web App.
If I purchase the SSL cert, can I do this, change the subdomain and will the cert still be valid?
Thanks
Get a Wildcard SSL certificate to secure the domain name and unlimited subdomains under a single SSL installation. Azure supports third-party Wildcard certificates, but I'd consider a cheaper option from an SSL vendor than the one offered by Azure.
When you request the Wildcard certificate, add an asterisk (*) in front of the domain name you want to secure. For instance, *.contoso.com. This way, you can secure as many subdomains as you want.
The trickiest part is to install your Wildcard cert. Here's an Azure SSL installation guide you may find useful.
Related
I'm trying to use https://mysite.trafficmanager.net that should resolve to https://myfunction.azurewebsites.net without adding my own SSL cert or domain.
When I go directly to https://myfunction.azurewebsites.net the cert is valid, but when I go to https://mysite.trafficmanager.net I get a cert error saying the cert is issued to *.azurewebsites.net
Do I have to purchase my own SSL to get this to work? It seems like the certs should just work within the Azure family and that I'm just missing a configuration setting.
You get a cert error since myfunction.azurewebsites.net have a certificate for *.azurewebsites.net but not *.trafficmanager.net so traffic manager site is not secured unless you have a custom domain + SSL cert.
The azure traffic manager works at DNS level. This means that it does not handle any request, just making the right redirection. The clients connect directly to the selected endpoint, not through Traffic Manager.
If you want to access the endpoint via HTTPS, you just need to bind an SSL certificate on your endpoint. If you want this error to disappear, you can read this Azure networking feedback.
For a dev\test scenario, there are a couple options you may want to
consider:
Buy a real cert and domain/sub-domain for your dev-test setup.
Create a self-signed certificate for your site with the *.trafficmanager.net SAN added to it and install this self-signed cert to the Trusted Certificate Authorities store on your clients to not
get browser warnings.
I have 6 different micro services with an Azure Traffic Manager setup for each of them. The services are running in 3 different regions to improve their performance but I need to come up with the certificates for the Azure Traffic Manager.
I have seen that there are two options available in the Azure Portal: The Standard and the Wild Card. While the latter is much more expensive, I was wondering if the same SSL Certificate can be used in all my 6 services so in the end, I will save money.
All my sites are like this:
http://foo1.trafficmanager.net
http://foo2.trafficmanager.net
http://foo3.trafficmanager.net
http://foo4.trafficmanager.net
http://foo5.trafficmanager.net
http://foo6.trafficmanager.net
As you can see the, the domain is the same (I do not have any custom domain, just the by default trafficmanager.net), so I am wondering whether one certificate will be enough. I have not seen any information about the wildcard certificate and it is pretty expensive to just give it a try...
Also, is there any security concern if I use the same certificate for all the sites? Is there a best practice recommendation? 1 certificate per site vs. 1 certificate for multiple sites.
Lastly, if I decide to use Custom Domains in the future, will I be able to reuse the issued certificate? (the domain will not be trafficmanager.net anymore)
Actually, a valid SSL certificate must match the access FQDN domain name. One Standard certificate only could be used for one FQDN domain name, such as "foo1.trafficmanager.net" while one WildCard certificate could be used for all like "*.trafficmanager.net" FQDN domain name, so usually we use the same WildCard certificate for all different services.
If you use Custom Domains in the future, you need to deploy new certificate to match the new Custom domain.
You can get more details about SSL Certificate Names
We recently created a new web site and I performed the following steps to redirect users from the old domain to the new one:
updated the old domain and its appropriate CNAME's to forward to the new domain
configured Azure to listen for the old domain + subdomains
added URL rewrite rules to the web.config (301 permanent redirect to new domain)
Everything works fine when browsing via HTTP; however, when browsing via HTTPS, I get errors such as
The hostname in the website’s security certificate differs from the
website.
This server could not prove that it is [old domain]; its security certificate is from *.azurewebsites.net.
I am guessing this is because my app service only holds the SSL certificate for the new domain name, and not the old one. Is there any way around this? Can URL rewriting or some other option preempt this?
You can have the certificates for your new and old domains in the same App Service application.
You need to add both certificates, and then add the SSL binding for each one to the appropriate domain.
Aim:
I want to use free SSL certificate on Cloudflare on the website that is current hosted on Azure.
Background
A SSL certificate has been bought from Azure, but we found that we need to upgrade our subscription before able to bind it to our website. Hence, we decided to use Cloudflare free plan that also offers SSL. The domain provider that we use is godaddy.
Problem:
I have followed the instructions here, and now on the Cloudflare, I could see the status for SSL certificate as Active Certificate. However, when I enter the url as https://mywebsite (https), it says that This certificate is not valid (host name mismatch), which is shown on the screenshot below:
Questions
Why does the current SSL certificate points to .azurewebsites.net? Shouldn't it points to cloudflare, after changing the nameservers? What does it mean by host name mismatch?
Current status for SSL certificate on Cloudflare is Active Certificate, does it mean that it's verified and currently applied to the website?
Thank you very much!
You are correct, if it is configured properly it should display the correct certificate in your browser. Possible reasons that it doesn't show correctly: old certificate cached in browser, old nameservers cached, you're not using cloudflare for the appropriate DNS records.
1b. As for the host name mismatch, you typed in example.com and it returned a certificate for a different domain. This means that the data can still be encrypted during transmission but that you are probably not communicating with who you think you are.
Not necessarily. In the article that you link is a great diagram of this process (5th image). You are using Flexible SSL. In order for this to work your website needs to go to Cloudflare's servers first. You can have an active certificate but that doesn't mean that it's been applied to your website. Make sure that the domain and/or any subdomains are on cloudflare and that data is routed through Cloudflare's servers.
We have two websites in Azure under different subscriptions which use the same UCC SSL certificate. Everything had been good for a long time until a week or two ago we noticed that one of the sites does not really have our certificate (although it was configured in Azure successfully). When browsing to it using "https" we can see that "https" becomes red, and if we click on it it says: "Server's certificate does not match the URL". The detailed information about the certificate says that it was issued to "*.azurewebsites.net", not to our domain. So seems like the default Azure certificate is used instead of ours.
At the same time our second website works perfect with "https", and the certificate shown is correct. I re-installed the certificate to both sites and re-created SSL bindings using SNI SSL, but it still works only for one of them.
Any ideas on what can cause this?
In the Azure website configuration switch from SNI SSL to IP Based SSL.
Once you do that you should have a Virtual IP Address that can be found in the Dashboard tab of the Website on the Azure portal.
In your web hosting provider make sure the www and # records point to the Virtual IP Address instead of pointing to your xxx.azurewebsites.net URL.