Solved

SSL certicate issue, is it a domain name issue?

Posted on 2013-05-23
5
293 Views
Last Modified: 2013-07-11
I have a third party SSL cert that I'm using for one of my websites (https access). The website is behind my firewall.

External, public DNS name of the url is mysite.com and has a public address which is mapped to an internal IP of the website.

The SSL cert contains the name: mysite.com (matching the public DNS record)

The internal name of site is mysite.home.com

Users are getting this error when they connect:

SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Is this because the internal FQDN name does not match the external name that's on the SSL cert?
0
Comment
Question by:iamuser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 39193471
the SSL endpoint must be mysite.com, then the user will not get an certificate error
mysite.com must be the web server where your certificate is stored
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39193606
That's a Certificate Chain error there, not a name missmatch.
Check the internal users are allowed to reach the intermediate certificate listed in the authority access field on the certificate, or in the alternative (if you don't want them having access to that) download it and push it out via group policy?
0
 
LVL 40

Expert Comment

by:noci
ID: 39193679
for certificates you need to get everithing right.

Chain must validate, the top CA certificate must be trusted.
The current date must be valid on all certificates in the chain.
The subject of the service certificate must match the name that is used as hostname.
The Certificate is checked BEFORE any data (like http host: header tag) is tranferred.
0
 

Author Comment

by:iamuser
ID: 39250113
So the problem is that internal users are not reaching the server that's holds the CA certificate?
0
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 39251464
No they are reaching the server but they cannot validate all ceritificate.

(click the icon left of the url for an explanation, and check the certificate chain )

Top most certificate must be trusted & valid
-- intermediate certificate - must be valid
  -- intermediate certificate  - must be valid
    -- server certificate must containt the hostname & be valid.

For your server certificate:

mysite.home.com        for internal users
mysite.com                   for external users...

So you need a certificate that contains BOTH names.
(Subject Alternate Name / SAN certificate)

And, no, you cannot have more than ONE certificate for each IP addres/Portnumer pair.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question