I have a webserver (IIS) with an SSL cert for *.mydomain.com
This works perfectly for https://anysubdomain.mydomain.com/ but going to https://mydomain.com/ causes a certificate mismatch error in IE (has not been tested in all other browsers).
Is there any way to work around this, or is it simply a problem with the way IE treats the wildcard in the certificate we have to live with?
The only way to remove the error message when accessing the site at https://mydomain.com is to put the base domain (mydomain.com) in as a Subject Alternative Name in the wildcard. Several certificate providers will add this for free (including DigiCert and Comodo) but you will need to reissue your certificate.
Related
I created Wildcard certificate to support my site domain and subdomains.
The new certificate works for my subdomains (e.g www.mydomain.com , sub.mydomain.com)
But when I try to get to mydomain.com I get certificate warning: "the certificate is only valid for *.mydomain.com"
Is it a problem with my configuration or just the Wildcard certificate doesn't support it?
For supporting both example.com and subdomain.example.com the certificate needs to include both *.example.com and example.com as subject alternative names. I assume that the last one is missing from your certificate.
I guess you have purchased wildcard ssl certificate from thawte or symantec, which does not support equally www and non-www. In the past, I purchased thawte wildcard certificate and faced the same type of issue. I just discussed with my vendor to get the solution, they gave me technical support instantly and suggest alphassl wildcard -
https://www.ssl2buy.com/alphassl-wildcard.php. After that, I switched over to alphassl wildcard that works fine on my both domain names mydomain.com, www.mydomain.com as well anything.mydomain.com.
I have just bought an SSL Certificate for my website from azure. when setting up a certificate under "Naked domain hostname" i entered the domain name WITHOUT "www".
Currently if i were to view my website with https://xyz.ca, it works just fine and it says it is secure, but if enter www.xyz.ca i do not see anything.
To atleast view the website with www.xyz.ca, i have removed HTTPS:// only request. However now this makes website un-secure.
Question
1. what will be the best way to make www.xyz.ca secure using the same certificate that i have bought?
2. if there is any other solution available, that will be fine too.
I am attaching some screenshots to understand better:
In fact a cert CAN support MANY domains. Now, whether this is something that you can add for free with the SSL provider you have chose is a different question. Certificate Subject Alternate Name(s) are what is used for this. For example the cert for this site allows stackexchange.com AND stackoverflow.com and a number of others and sub-domains too.
A valid SSL certificate must match the access FQDN domain name.
One Standard certificate only could be used for one FQDN domain name, such as www.xyz.ca while one WildCard certificate could be used for all like *.xyz.ca FQDN domain name, so usually we use the same WildCard certificate for all different services. More information about SSL Certificate Names
As the comment point it out, instead of buying one via the Azure Portal, you can get a free one via letsencrypt.org
Update
When you purchase an app service certificate in Azure for a root domain, by default, Azure supports hostname as a root domain name and www subdomain. You do not need to purchase another certificate. In this case, you already have two hostnames assigned to the site. You just bind the certificate for each. If you don't see the domain name(s) in the Hostname dropdown, try refreshing the browser page or change another browser.
I used to run one of my websites (EyeDentity.Online) from a Windows VM on Azure. I had an SSL Certificate in IIS up to run it and all was well in the world.
Since I moved the Website to the Azure App Service and installed the SSL Certificate in Azure whenever I go to the Website for the first time in a browser session it tells me that the certificate is invalid.
It appears to quote the standard AzureWebsites.NET even though my certificate is bound to my website
How can I get this warning to go away as it may be scaring away users!
Things to check:
You must be on Standard or Premium level to bind to cert
Check SSL bindings section of Custom Domains and SSL blade to make sure you've
bound the domain to the right cert.
The description of the problem sounds like number 2 here. If you haven't changed this, then it will bind by default to the azurewebsites cert and not yours.
Some docs here: https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/
Your cert is for azurewebsites.net and not EyeDentity.Online. You should get a wildcard cert for your domain name:
*.azurewebsites.net should be: *.eyedentity.online
ref: https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/#1-get-an-ssl-certificate
"Before requesting an SSL certificate you must first determine which
domain names will be secured by the certificate. This will determine
what type of certificate you must obtain. If you just need to secure a
single domain name such as contoso.com or www.contoso.com a basic
certificate is sufficient. If you need to secure multiple domain
names, such as contoso.com, www.contoso.com, and mail.contoso.com,
then you can get a wildcard certificate, or a certificate with Subject
Alternate Name (subjectAltName)."
We have two A records pointing to same public IP address as:
www.example.com IN A 192.*.*.*
example.com IN A 192.*.*.*
We have certificate issued by Verisign to www.example.com. Now when the user types https://www.example.com/xyz, everything works fine as expected.
But when we use https://example.com/xyz, the browser throws an error:
"There is a problem with this website's security certificate"
And asks the user to make decision if they trust and want to go ahead.
Now what should be best practice here:
Change certificate and get wildcard certificate *.example.com
Use following setting at DNS:
www.example.com IN A 192.*.*.*
example.com IN CNAME www.example.com
Write a HTTP module in .Net pipeline to redirect user if they type example.com/xyz to www.example.com/xyz. I know this is not recommended.
We would like to do something like what chase.com is doing. If you type chase.com it takes you to https://www.chase.com/.
None of the above. You should get SSL certificate that covers two domains: www.mydomain.com and mydomain.com.
As per your proposals:
1) Having wildcard certificate for a single domain of *.mydomain.com will still give you an error when opening mydomain.com without any prefix. You may of course get a multidomain certificate for *.mydomain.com and mydomain.com
2) For the sake of SSL, it doesn't matter CNAME or A - DNS used to get the address (A record) of your webserver, afterwards browser still expects SSL certificate to match exactly what you type in the address bar.
3) That would work for http requests, but when user types https://mydomain.com, browser checks SSL certificate before it processes the redirection request, and will still show the warning.
P.S. You have this problem because CA industry is totally screwed. Their product pages all look like "super 256-bit encryption" (certificate have nothing to do with encryption strength), mobile support (be it mobile or mainframe, certficate is all the same), and "a free site-seal included" (site seal is a great name for a CA advertisement placed on your site).
All the not important things like is it's CRL or OCSP, or which domain names it covers at all - never mentioned.
I issued a self signed certificate on IIS 7.5, and it is working correctly if i access my website through my computer.
However, if i access the website from another computer, i get an warning saying the certificate was issued to another address.
Is this because the certificate was issued to localhost instead of the actual IP?
Or this doesn't make any sense?
Regards,
The error message you are getting is normal, assuming you do not have anything in your certificate aside from 'localhost' to identify the owner.
Your browser is performing a name check, and looking to validate the certificate that is presented with the URL you typed in. Typically, the common name of a certificate matches the hostname/DNS name of the machine. Alternatively, there can be information inside of the Subject Alt Name (SAN) extension of your certificate. There, you could specify multiple DNS names or IPAddress fields that identify your server in addition to the CN.
If you are simply performing internal testing, I would not be terribly worried about the warning you are receiving. Just keep all of this in mind when you move to production. Also, having your CA being self-signed, you may also receive trust warnings, unless you manually import your self-signed CA certificate into the trust store of the browser you are using.
Maybe this helps you: Self signed certificates on IIS 7. At the end of the article, in the section named "Adding the Certificate to Trusted Root Certificate Authorities", an alternative solution is shown, but it implies importing the certificate in the client machine, so that could be a huge disadvantage. However, it is a solution if you can't register the certificate on a Certificate Authority, an you have access to the client machine.