Verisign Changing IP Address

Hello Experts,

We have purchased a VeriSign Certificate Class 3 for our webserver. Its installed and working

I opened some IP addresses on our firewall allowing port 443 and client inside our network our able to visit the website and revoke the certificate.

Now when the users access the web page it give the error. After some troubleshooting I realized VeriSign had changed the IP address and client can't  get through the firewall as the IP Address is not listed in the list of IP's allowed to get through

So my question is, how do I get clients to see VeriSign  without
opening the whole server to the internet, for obvious security reasons, so it
can see the revoked list on verisign.com using only IP Addresses?
1.jpg
LVL 3
cciedreamerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
I don't think that's a VeriSign issue, or an issue trying to reach the VeriSign websites.

You're trying to connect to the webserver with a URL or IP address that doesn't match what's in the certificate.

For example, if your server is called server.mydomain.local, but you're redirecting users through a firewall to use www.myserver.com you could have requested the certificate with the wrong hostname.  Or you could be using mulitple IP addresses on the web server and are redirecting through the firewall to the wrong one.
0
cciedreamerAuthor Commented:
Hi,

Thanks for your reply.
Firstly when I open full internet access on client, I can access website with no issues.

I am sure we have no issues with URL.

Samir
0
btanExec ConsultantCommented:
The webserver name should be corresponding to the common name of the server's fqdn as the error is saying that. But if you done that alright internally (probably not via your perimeter fw) then likely the fw or down the chain for those user out of the internal zone is not accessing the right server or dns redirected them somewhere. Another there is certain blacklist hit at the appliance. From a port 80 or 443 perspective, Fw should not be blocking if you are hosting a web server in your dmz for your user coming in from public or remote
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Sudeep SharmaTechnical DesignerCommented:
I would agree with craigbeck, also the screenshot suggests the same. "The security certificate presented by this website was issues for a different website's address."

So it has something to do with the URL address.

You have also mentioned that if you open full internet access on client it works, so did you tried accessing it from different locations? Are you getting the same error from anywhere else?

Sudeep
0
cciedreamerAuthor Commented:
No I not error anywhere accept where the client has restricted access.

I have no problem accessing from home, mobiles and other wifi hotspot.
0
btanExec ConsultantCommented:
Would the internal end resolving the common name if you do a nslookup from the internal client? Likewise any issue doing the reverse lookup. Also is there alternate name fot that certificate instead
0
Craig BeckCommented:
I think you're going to be using a different hostname internally, such as the internal hostname of the server, and not the public DNS name.

Do you have split-DNS or a CNAME record for your server?
0
cciedreamerAuthor Commented:
Dear Experts,

I want to clarify simple thing.

Why with full internet access ( no restrcitions, no acl ) I am able to access the URL

But when restriction internet access and allowing specific URL through Firewall ( Cisco Router 3725) I am getting certificate error page.

Also I am doing the tests from the same machine.

Please any hints.
0
Craig BeckCommented:
Really, it has to be a DNS issue, or a redirection issue.  There are no IP restrictions on SSL certificates.

Are you testing from the same place, but simply removing the ACL, or are you testing from a different network?

It's quite common for the web site to use a different real hostname than what users on the internet see it as.  For example, your server could really be called web1.mydomain.internal but users on the internet would see it as www.mydomain.com.  To achieve this it's just a matter of providing a DNS record to point to the server, and having an appropriate SSL certificate with the same DNS name.  On the internal network though you wouldn't be trying to use the same URL as people on the internet, so you may see a certificate warning,
0
cciedreamerAuthor Commented:
Hi,

Thank you for response. The issue is resolved.

I contacted symantec and they advised me to open the following URL's instead of IP addresses

*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

Check below link for more info.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD596

Hope it will help others
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cciedreamerAuthor Commented:
Solved on my own by contacting the vendor.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.