cturcott
asked on
Certificate identity problem
I've got certificates nearly figured out but there is something eluding me about how to set them up still apparently. This is the message I get when trying to access my site using google chrome. I thought the www in www.etc.etc/etc was an alius or wildcard that doesn't need to be identified. What am I missing in my configuration? It's got to be something simple but I don't know the answer. The following is the message google chrome gives me when I try to access my site. It's using a 3rd party certificate, not a self signed one.
Thanks
You attempted to reach www.cturcott.com, but instead you actually reached a server identifying itself as xchg.cturcott.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.cturcott.com. You should not proceed.
Thanks
You attempted to reach www.cturcott.com, but instead you actually reached a server identifying itself as xchg.cturcott.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.cturcott.com. You should not proceed.
ASKER
I thought a wildcard was for multiple domains. Why would I need that if I don't have multiple domains (I just have cturcott.com)?
Here is some additional information.
When running the test here:
https://www.testexchangeconnectivity.com/
I get the following error:
Testing SSL mutual authentication with the RPC proxy server.
Verification of mutual authentication failed.
The certificate common name xchg.cturcott.com doesn't validate against the mutual authentication string that was provided: msstd:cturcott.com
The help link took me here
http://technet.microsoft.com/en-us/library/dd439371(EXCHG.80).aspx
It doesn't seem to apply directly to my problem though as near as I can tell. Can you shed additional light on the situation?
Here is some additional information.
When running the test here:
https://www.testexchangeconnectivity.com/
I get the following error:
Testing SSL mutual authentication with the RPC proxy server.
Verification of mutual authentication failed.
The certificate common name xchg.cturcott.com doesn't validate against the mutual authentication string that was provided: msstd:cturcott.com
The help link took me here
http://technet.microsoft.com/en-us/library/dd439371(EXCHG.80).aspx
It doesn't seem to apply directly to my problem though as near as I can tell. Can you shed additional light on the situation?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I only have one host. Internally it's xchg.cturcott.com. The public DNS record for it that points at the outside IP address for it is www.cturcott.com. I got a certificate for cturcott.com. What am I missing?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is there another way to do this that doesn't require a wildcard certificate? That does cost more after all. I want to know if I could have configured things differently so as not to need a wildcard.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would suggest you set up two web listeners then - one for internal users (which can use a self-generated certificate) and one for the web (which can use a www.domain cert)
you will need to get the www one reissued though.
you will need to get the www one reissued though.
ASKER
StartSSL asked me for two names, and I gave it cturcott.com and xchg.cturcott.com thinking that would work both internally and externally as it responds as xchg.cturcott.com internally and externally the DNS records are well...I'll put those at the bottom so you can see how I have it set up currently.
How can I set it up with two web listeners for internal and web users? This is one of the things I had wondered about. I don't suppose I can set up a DNS alius to avoid the need for multipe certs? I expect that if I change the name to www.cturcott.com on the cert, the internal users will get an error because it answers as xchg.cturcott.com. If I set up a dns record internally with www.cturcott.com as an alius for the xchg.cturcott.com server, will that make the error go away once I change the cert to www.cturcott.com on StartSSL?
Hostname Service Details Last Updated
cturcott.com A-record 24.130.95.197 Dec. 16, 2010 2:52 AM
mail.cturcott.com A-record 24.130.95.197 Dec. 16, 2010 2:52 AM
www.cturcott.com Alias (CNAME) cturcott.com N/A
xchg.cturcott.com Alias (CNAME) cturcott.com N/A
How can I set it up with two web listeners for internal and web users? This is one of the things I had wondered about. I don't suppose I can set up a DNS alius to avoid the need for multipe certs? I expect that if I change the name to www.cturcott.com on the cert, the internal users will get an error because it answers as xchg.cturcott.com. If I set up a dns record internally with www.cturcott.com as an alius for the xchg.cturcott.com server, will that make the error go away once I change the cert to www.cturcott.com on StartSSL?
Hostname Service Details Last Updated
cturcott.com A-record 24.130.95.197 Dec. 16, 2010 2:52 AM
mail.cturcott.com A-record 24.130.95.197 Dec. 16, 2010 2:52 AM
www.cturcott.com Alias (CNAME) cturcott.com N/A
xchg.cturcott.com Alias (CNAME) cturcott.com N/A
A DNS alias does not change the hostname in the request - it only points that name to the IP of a different name.
"Normal" certificates are made for one name. That can be cturcott.com, www.cturcott.com, or xchg.cturcott.com. Each IP can use *one* certificate. So, you have three ways you can approach this:
1) Get a wildcard certificate for *.cturcott.com. This will handle all of the sites mentioned here so far.
2) Get a certificate for each subdomain, and use a different IP for each one.
3) Use your existing certificate and live with the warning.
"Normal" certificates are made for one name. That can be cturcott.com, www.cturcott.com, or xchg.cturcott.com. Each IP can use *one* certificate. So, you have three ways you can approach this:
1) Get a wildcard certificate for *.cturcott.com. This will handle all of the sites mentioned here so far.
2) Get a certificate for each subdomain, and use a different IP for each one.
3) Use your existing certificate and live with the warning.
if xcng.cturcott.com is what is on the certificate, then that's what users need to type to not get the error.
if cturcott.com is what is on the certificate, then that's what users need to... ah you know what I mean.
a basic SSL certificate has exactly one name, and will throw an error if you use any other name to connect to it - to get more names, you need to get a certificate that supports that.
if you have bought cturcott.com though, why not just use that? you have an a-record for it externally, and can presumably make sure it resolves internally too. just make sure all clients (mail/web/whatever) are set to use the name that matches the certificate.
if cturcott.com is what is on the certificate, then that's what users need to... ah you know what I mean.
a basic SSL certificate has exactly one name, and will throw an error if you use any other name to connect to it - to get more names, you need to get a certificate that supports that.
if you have bought cturcott.com though, why not just use that? you have an a-record for it externally, and can presumably make sure it resolves internally too. just make sure all clients (mail/web/whatever) are set to use the name that matches the certificate.
ASKER
I think I'm gradually starting to understand, at least well enough to ask some additional questions. Please bear with me as I learn how this works.
Do I need more than one hostname? Is that possible? If I don't configure this in DNS (alius), where do I set that up? You said I can use different IP addresses for each, where do I go to configure that?
Do I need more than one hostname? Is that possible? If I don't configure this in DNS (alius), where do I set that up? You said I can use different IP addresses for each, where do I go to configure that?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if you need one name for your "internal" users and one for external, then two IPs make sense - you don't need to ask your isp about that, as the "internal" IP doesn't need to be natted to the internet.
just add a second (lan) IP to the interface, then configure a listener (in whichever web server you use) to listen on that second IP - it can serve the same files, but with a different certificate.
so if (for example) your webserver is on 192.168.1.10 on your lan, (with a firewall giving it a real IP for the internet) you can add 192.168.1.20 (again, for example) and define a second "site" in the admin tool there. this doesn't need an internet address (as only your lan users need use it) and can be added to your internal dns as the IP of the server. IF you are using MS DNS for service location, you probably want the new IP as the primary (so that users connect to that by default) rather than the original (web) IP.
just add a second (lan) IP to the interface, then configure a listener (in whichever web server you use) to listen on that second IP - it can serve the same files, but with a different certificate.
so if (for example) your webserver is on 192.168.1.10 on your lan, (with a firewall giving it a real IP for the internet) you can add 192.168.1.20 (again, for example) and define a second "site" in the admin tool there. this doesn't need an internet address (as only your lan users need use it) and can be added to your internal dns as the IP of the server. IF you are using MS DNS for service location, you probably want the new IP as the primary (so that users connect to that by default) rather than the original (web) IP.
I've requested that this question be deleted for the following reason:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned and is now flagged for deletion.
If there is a valid solution, please OBJECT and indicate the comments that are, or would otherwise lead to, a solution.
Use the specific format https:#axxxxxxxx for comment ID(s).
Also, please don't object simply because the author did not respond to your comment. While we understand this is frustrating, unfortunately we cannot force the author to return to the question. Unless you feel you have presented a valid, verifiable solution we'll simply delete the question.
Experts-Exchange Auto Deleter
No comment has been added to this question in more than 21 days, so it is now classified as abandoned and is now flagged for deletion.
If there is a valid solution, please OBJECT and indicate the comments that are, or would otherwise lead to, a solution.
Use the specific format https:#axxxxxxxx for comment ID(s).
Also, please don't object simply because the author did not respond to your comment. While we understand this is frustrating, unfortunately we cannot force the author to return to the question. Unless you feel you have presented a valid, verifiable solution we'll simply delete the question.
Experts-Exchange Auto Deleter
Every expert in this question was providing good information towards correct solutions. I suggest splitting the points among us.
Didn't hit object...
if you want to support multiple names, you should consider a wildcard (*.cturcott.com) or or san (list of domains) certificate.