Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Verisign Changing IP Address

Posted on 2013-12-08
11
1,345 Views
Last Modified: 2013-12-18
Hello Experts,

We have purchased a VeriSign Certificate Class 3 for our webserver. Its installed and working

I opened some IP addresses on our firewall allowing port 443 and client inside our network our able to visit the website and revoke the certificate.

Now when the users access the web page it give the error. After some troubleshooting I realized VeriSign had changed the IP address and client can't  get through the firewall as the IP Address is not listed in the list of IP's allowed to get through

So my question is, how do I get clients to see VeriSign  without
opening the whole server to the internet, for obvious security reasons, so it
can see the revoked list on verisign.com using only IP Addresses?
1.jpg
0
Comment
Question by:cciedreamer
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39704857
I don't think that's a VeriSign issue, or an issue trying to reach the VeriSign websites.

You're trying to connect to the webserver with a URL or IP address that doesn't match what's in the certificate.

For example, if your server is called server.mydomain.local, but you're redirecting users through a firewall to use www.myserver.com you could have requested the certificate with the wrong hostname.  Or you could be using mulitple IP addresses on the web server and are redirecting through the firewall to the wrong one.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39704882
Hi,

Thanks for your reply.
Firstly when I open full internet access on client, I can access website with no issues.

I am sure we have no issues with URL.

Samir
0
 
LVL 63

Expert Comment

by:btan
ID: 39705119
The webserver name should be corresponding to the common name of the server's fqdn as the error is saying that. But if you done that alright internally (probably not via your perimeter fw) then likely the fw or down the chain for those user out of the internal zone is not accessing the right server or dns redirected them somewhere. Another there is certain blacklist hit at the appliance. From a port 80 or 443 perspective, Fw should not be blocking if you are hosting a web server in your dmz for your user coming in from public or remote
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39706168
I would agree with craigbeck, also the screenshot suggests the same. "The security certificate presented by this website was issues for a different website's address."

So it has something to do with the URL address.

You have also mentioned that if you open full internet access on client it works, so did you tried accessing it from different locations? Are you getting the same error from anywhere else?

Sudeep
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39706637
No I not error anywhere accept where the client has restricted access.

I have no problem accessing from home, mobiles and other wifi hotspot.
0
 
LVL 63

Expert Comment

by:btan
ID: 39707379
Would the internal end resolving the common name if you do a nslookup from the internal client? Likewise any issue doing the reverse lookup. Also is there alternate name fot that certificate instead
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39707486
I think you're going to be using a different hostname internally, such as the internal hostname of the server, and not the public DNS name.

Do you have split-DNS or a CNAME record for your server?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39716490
Dear Experts,

I want to clarify simple thing.

Why with full internet access ( no restrcitions, no acl ) I am able to access the URL

But when restriction internet access and allowing specific URL through Firewall ( Cisco Router 3725) I am getting certificate error page.

Also I am doing the tests from the same machine.

Please any hints.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39716867
Really, it has to be a DNS issue, or a redirection issue.  There are no IP restrictions on SSL certificates.

Are you testing from the same place, but simply removing the ACL, or are you testing from a different network?

It's quite common for the web site to use a different real hostname than what users on the internet see it as.  For example, your server could really be called web1.mydomain.internal but users on the internet would see it as www.mydomain.com.  To achieve this it's just a matter of providing a DNS record to point to the server, and having an appropriate SSL certificate with the same DNS name.  On the internal network though you wouldn't be trying to use the same URL as people on the internet, so you may see a certificate warning,
0
 
LVL 3

Accepted Solution

by:
cciedreamer earned 0 total points
ID: 39716924
Hi,

Thank you for response. The issue is resolved.

I contacted symantec and they advised me to open the following URL's instead of IP addresses

*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

Check below link for more info.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD596

Hope it will help others
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39726180
Solved on my own by contacting the vendor.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Issue with Cisco 4402 and 1142 LAPs 1 23
Admin Certificates in my browser 2 31
Cisco Edge Routers for BGP 6 46
AnyConnect VPN endpoint authentication/validation 4 16
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question