Adding HTTPS to Azure VM mapped through CNAME - azure

I intend to buy a wildcard SSL certificate for mydomain.com. From my ISP I map test.mydomain.com - using CNAME setting - to an Azure VM (not a simple web app) running a webserver (e.g. blahblah-vm.cloudapp.net) where I have opened port 80 and 443.
Now, my client connects to https://test.mydomain.com. Will there be any issues? Do I need to somehow prepare the VM with the mydomain.com SSL certificate or will it just work thanks to the CNAME mapping?

Does your VM have a static Public IP address? If yes, you could use A Records. Also, we can use CNAME map the Azure VM's FQDN.
Now, my client connects to https://test.mydomain.com. Will there be
any issues?
Before you connect to https://test.mydomain.com, we should install SSL certificate on your PC first.
Do I need to somehow prepare the VM with the mydomain.com SSL
certificate or will it just work thanks to the CNAME mapping?
There is no need to prepare something except install SSL certificate.
Update:
If your VM is windows, and use IIS to deploy your web server, we can use SSL certificate here:

Related

Https issue with subdomain pointing to Azure VM

I have a domain purchased from Godaddy. Then a Virtual Machine setup on Azure with an web application installed on it.
So thus far I have:
An Azure VM with an application running on it, lets say the ip for the VM is 12.3.456.789
A domain name I purchased from godaddy, e.g mydomain.com, I then created a subdomain for e.g sub.mydomain.com
I then added an SSL certificate to this subdomain which worked fine, after I changed the DNS A record for the subdomain to the ip address of the VM 12.3.456.789, also the application on the VM is accessed on port 4000. So https://sub.mydomain.com:4000
The issue is that when I access my domain via https I get the ERR_SSL_PROTOCOL_ERROR in all browsers but when I access it via http then the application on it loads completely fine.
Any ideas on what I would have done wrong or left out in my setup?
Also if I did not provide enough information do let me know.
commercial SSL certs are always signed to include the TLD
(Top Level Domain -> in your hypothetical case: mydomain.com) !
You should contact godaddy to change the certificate to change the SAN (Subject alternative Name to sub.mydomain.com)
One example:
You order a ssl certificate for the subdomain www for your domain mydomain.com.
mydomain.com is valid by its nature (SAN -> it's the TLD)
Whereas www.mydomain.com is the SUBJECT.
Best H.
To rewrite to rule from https as you are getting ERR_SSL_PROTOCOL_ERROR please check you are correctly provided ssl cerficate SSL Certificate Checker as my SSL provided is DigiCert.
And to make Https ensure in your remote desktop in IIS manager click your virtual machine ->binding -> Https and port as 443 and upload certificate.
In your virtual machine try to add outbound security rule provide service as HTTPS and port as same in 443
Reference: https://learn.microsoft.com/en-us/answers/questions/23397/not-able-to-secure-windows-azure-vm-in-https.html

Cant connect to the cloudflare with A - DNS

My ubuntu server work correctly in port 80 using nginx, it's finally switch to port:3000 for Nodejs app to run. Everything okay when i pass the dns to the browser but when I try to connect with cloudflare It's appear the 502 bad gateway code when access the domain name? I'm kind of new in cdn hosting please tell me what to do! Many thanks
My Cloudflare Setup
Assuming you are running your webservice on port 80 publicly available:
What you could do is to disable the encryption between Cloudflare and your origin (not recommended):
Select your Domain, go to SSL/TLS -> Overview. Select "Off (not secure)"
But you really shouldn't do this for a production environment.
Your nginx should support encrypted traffic over HTTPS.
Issue a selfsigned certificate (not recommended), have a look at certbot or better:
Issue a Cloudflare Origin Certificate (SSL/TLS -> Origin Server)

Can I get SSL certificate for website running in Azure VM at westeurope.cloudapp.azure.com subdomain

I have created Windows Server VM in Azure and deployed my site to IIS, which is now accessible at https://mysite.westeurope.cloudapp.azure.com/
however I get certificate error when I try to visit it from outside the vm.
how do I configure the VM to have proper https without certificate errors (just like app service - mysite.azurewebsites.net)?
As the comments from micker #micker, you can't get an SSL certificate for this subdomain westeurope.cloudapp.azure.com which is owned by Microsoft.
Since you host your websites on Azure VM, you could purchase a domain then get an SSL certificate for your own domain, then bind the SSL certificate to your custom domain in IIS on the Azure VM. You can either purchase that certificate through Azure or an external provider or get a free SSL cert from Let's Encrypt.
However, if you just want to have a test in your test environment, you can use a self-signed certification with this DNS name like vma.centralus.cloudapp.azure.com. You can follow steps in How To Create A SHA-256 Self-Signed Certificate on the Azure VM then export this cert .cer format file on the Azure VM and import the .cer cert under the mmc---certificate---local machine---Trusted root certification Authorities on the machine where you want to access the websites. Please note this It's not recommended to use self-signed cert in your production environment.
I had same issue, and I found resolution without custom domain using following additional azure settings.
create Azure WAF, add custom rules to deny if not in IP list - this is if you need ip whitelisting, useful if your main domain uses akamai or other edge routing to point to external hosting of subdomains, you can use whitelist to restrict access to the akamai or other servers, though this takes some big lists you must paste of ranges one row at a time. Set any other web app firewall rules you want enforced for allow/deny.
Create Azure Front Door named like you want as an endpoint url e.g. myappfrontdoor will make myappfrontdoor.azurefd.net. in backend pool specify the your public-ip shared dns name (see step 3) like myapptest..cloudapp.azure.com.
This is the important step : in Settings at top of front door designer, disable cert validation. in routing rules config, no condition, forward to backend pool setup in prior step. This ignores the fact that you cannot cert your cloudapp.azure.com endpoint, and wraps it with a *.azurefd.net certificate.
In your azure firewall, Edit NAT rules, set rule name myapp-web-fd-... , tcp, ip address, 147.243.0.0/16 (this is Azure's front door backend ip range). destination should be the firewall's own public ip. destination port 443, translated address should be the target vm's azure internal ip, target port - service port.
Now you will have a site like myappfrontdoor.azurefd.net.
Note that Azure Front Door and WAF have their own pricing costs, so maybe it is cheaper for you to buy a domain. Hopefully you are also using Azure Firewall, though expensive. If not, one could point to public ip directly on NSG or on vm itself but I wouldn't skip having a firewall for a public server. There is a standing Azure enhancement request to get Azure Front Door to recognize certificates, but it was triaged 2 years ago and still not added, so not sure if it will be worked. If it ever does get worked, devs could make own cert auth and self-signed cert with expirations to more securely hook front door to azure internal vm. For now, have to rely on the front door backend setting, waf, and azure firewall to have these things routed.
There are some options in Akamai and other edge routing systems to import cert and self-created authority sort of, but I've not tried that yet, so cannot confirm this would cleanly wrap your azure site without cert errors. You can make a self-signed authority using openssl commands as noted in other posts out and about on the web.
The simplest and cheapest option is to purchase a domain and use a cname dns record to map your new domain to your Azure subdomain address - an "A" record is not required. Also per answer above, a WAF is expensive and possibly unnecessary for a test set up (but a requirement for a production website). You can use Certbot and NGINX to create a free Lets Encrypt certificate for your domain and assign it to your website.
Adding a Public IP Address, Load Balancer, and Network Security Group to your Azure Resource Group may also be required to provide access to your website. This is largely how my test configuration is set up except I'm using a Linux VM, have a single wildcard certificate, and use NGINX to reverse proxy 3 websites.

AppService in Azure and DNSs managed by GoDaddy: SSL issue when Azure's IP changes

I have an AppService hosted in Azure and DNSs managed by GoDaddy. When the IP address of the AppService changes, the SSL certificate is no longer valid (you browse the site and you get a privacy error because the certificate is not in the correct domain). In order to fix this issue, I need to go to GoDaddy and change the IP address.
My configuration in GoDaddy:
A record referring to the AppService IP address
CNAME www record referring to the app service URL xxx.azurewebsites.net
SSL certificate in Azure:
www.domainname.com: SNI based
domainname.com: IP SSL based
Note about IP SSL based certificate: changing both to SNI based did not fix the issue.
Any ideas to avoid having to update the IP address in GoDaddy every time Azure changes the ip of the AppService?
You can try pointing your GoDaddy CName www record to sni.[website].azurewebsites.net. A detailed write-up can be found here:
https://blogs.msdn.microsoft.com/benjaminperkins/2017/08/11/azure-app-service-ip-based-ssl-and-sni-based-ssl-configuration/

SSL with appcloud.net subdomains

My SSL certificate is not verified on a subdomain of cloudapp.net - Classic Virtual server at Azure.
I setup everything in my IIS, and my port rule 443.
Could the subdomains at cloudapp.net not work with HTTPS at all?
Could the subdomains at cloudapp.net not work with HTTPS at all?
I tested it recently on my side and I make sure that the subdomains at cloudapp.net could work with HTTPS. Following are my steps.
Step 1. Generated certificate and installed it to IIS. I created and used a self-signed certificate for testing. I generated the .pfx file according to ways described in following link.
Generating a Self-Signed Certificate for Windows Azure Cloud Service
After that, we can upload the certificate to IIS of VM.
Step 2. Add HTTPS binding to your IIS.
Step 3. Enable 443 port for inbound rules and outbound rules.
Step 4. Add 443 endpoint for your VM.

Resources