Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1450
  • Last Modified:

Verisign Changing IP Address

Hello Experts,

We have purchased a VeriSign Certificate Class 3 for our webserver. Its installed and working

I opened some IP addresses on our firewall allowing port 443 and client inside our network our able to visit the website and revoke the certificate.

Now when the users access the web page it give the error. After some troubleshooting I realized VeriSign had changed the IP address and client can't  get through the firewall as the IP Address is not listed in the list of IP's allowed to get through

So my question is, how do I get clients to see VeriSign  without
opening the whole server to the internet, for obvious security reasons, so it
can see the revoked list on verisign.com using only IP Addresses?
1.jpg
0
cciedreamer
Asked:
cciedreamer
  • 5
  • 3
  • 2
  • +1
1 Solution
 
Craig BeckCommented:
I don't think that's a VeriSign issue, or an issue trying to reach the VeriSign websites.

You're trying to connect to the webserver with a URL or IP address that doesn't match what's in the certificate.

For example, if your server is called server.mydomain.local, but you're redirecting users through a firewall to use www.myserver.com you could have requested the certificate with the wrong hostname.  Or you could be using mulitple IP addresses on the web server and are redirecting through the firewall to the wrong one.
0
 
cciedreamerAuthor Commented:
Hi,

Thanks for your reply.
Firstly when I open full internet access on client, I can access website with no issues.

I am sure we have no issues with URL.

Samir
0
 
btanExec ConsultantCommented:
The webserver name should be corresponding to the common name of the server's fqdn as the error is saying that. But if you done that alright internally (probably not via your perimeter fw) then likely the fw or down the chain for those user out of the internal zone is not accessing the right server or dns redirected them somewhere. Another there is certain blacklist hit at the appliance. From a port 80 or 443 perspective, Fw should not be blocking if you are hosting a web server in your dmz for your user coming in from public or remote
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
Sudeep SharmaTechnical DesignerCommented:
I would agree with craigbeck, also the screenshot suggests the same. "The security certificate presented by this website was issues for a different website's address."

So it has something to do with the URL address.

You have also mentioned that if you open full internet access on client it works, so did you tried accessing it from different locations? Are you getting the same error from anywhere else?

Sudeep
0
 
cciedreamerAuthor Commented:
No I not error anywhere accept where the client has restricted access.

I have no problem accessing from home, mobiles and other wifi hotspot.
0
 
btanExec ConsultantCommented:
Would the internal end resolving the common name if you do a nslookup from the internal client? Likewise any issue doing the reverse lookup. Also is there alternate name fot that certificate instead
0
 
Craig BeckCommented:
I think you're going to be using a different hostname internally, such as the internal hostname of the server, and not the public DNS name.

Do you have split-DNS or a CNAME record for your server?
0
 
cciedreamerAuthor Commented:
Dear Experts,

I want to clarify simple thing.

Why with full internet access ( no restrcitions, no acl ) I am able to access the URL

But when restriction internet access and allowing specific URL through Firewall ( Cisco Router 3725) I am getting certificate error page.

Also I am doing the tests from the same machine.

Please any hints.
0
 
Craig BeckCommented:
Really, it has to be a DNS issue, or a redirection issue.  There are no IP restrictions on SSL certificates.

Are you testing from the same place, but simply removing the ACL, or are you testing from a different network?

It's quite common for the web site to use a different real hostname than what users on the internet see it as.  For example, your server could really be called web1.mydomain.internal but users on the internet would see it as www.mydomain.com.  To achieve this it's just a matter of providing a DNS record to point to the server, and having an appropriate SSL certificate with the same DNS name.  On the internal network though you wouldn't be trying to use the same URL as people on the internet, so you may see a certificate warning,
0
 
cciedreamerAuthor Commented:
Hi,

Thank you for response. The issue is resolved.

I contacted symantec and they advised me to open the following URL's instead of IP addresses

*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

Check below link for more info.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD596

Hope it will help others
0
 
cciedreamerAuthor Commented:
Solved on my own by contacting the vendor.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now