Solved

Verisign Changing IP Address

Posted on 2013-12-08
11
1,376 Views
Last Modified: 2013-12-18
Hello Experts,

We have purchased a VeriSign Certificate Class 3 for our webserver. Its installed and working

I opened some IP addresses on our firewall allowing port 443 and client inside our network our able to visit the website and revoke the certificate.

Now when the users access the web page it give the error. After some troubleshooting I realized VeriSign had changed the IP address and client can't  get through the firewall as the IP Address is not listed in the list of IP's allowed to get through

So my question is, how do I get clients to see VeriSign  without
opening the whole server to the internet, for obvious security reasons, so it
can see the revoked list on verisign.com using only IP Addresses?
1.jpg
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39704857
I don't think that's a VeriSign issue, or an issue trying to reach the VeriSign websites.

You're trying to connect to the webserver with a URL or IP address that doesn't match what's in the certificate.

For example, if your server is called server.mydomain.local, but you're redirecting users through a firewall to use www.myserver.com you could have requested the certificate with the wrong hostname.  Or you could be using mulitple IP addresses on the web server and are redirecting through the firewall to the wrong one.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39704882
Hi,

Thanks for your reply.
Firstly when I open full internet access on client, I can access website with no issues.

I am sure we have no issues with URL.

Samir
0
 
LVL 63

Expert Comment

by:btan
ID: 39705119
The webserver name should be corresponding to the common name of the server's fqdn as the error is saying that. But if you done that alright internally (probably not via your perimeter fw) then likely the fw or down the chain for those user out of the internal zone is not accessing the right server or dns redirected them somewhere. Another there is certain blacklist hit at the appliance. From a port 80 or 443 perspective, Fw should not be blocking if you are hosting a web server in your dmz for your user coming in from public or remote
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 39706168
I would agree with craigbeck, also the screenshot suggests the same. "The security certificate presented by this website was issues for a different website's address."

So it has something to do with the URL address.

You have also mentioned that if you open full internet access on client it works, so did you tried accessing it from different locations? Are you getting the same error from anywhere else?

Sudeep
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39706637
No I not error anywhere accept where the client has restricted access.

I have no problem accessing from home, mobiles and other wifi hotspot.
0
 
LVL 63

Expert Comment

by:btan
ID: 39707379
Would the internal end resolving the common name if you do a nslookup from the internal client? Likewise any issue doing the reverse lookup. Also is there alternate name fot that certificate instead
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39707486
I think you're going to be using a different hostname internally, such as the internal hostname of the server, and not the public DNS name.

Do you have split-DNS or a CNAME record for your server?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39716490
Dear Experts,

I want to clarify simple thing.

Why with full internet access ( no restrcitions, no acl ) I am able to access the URL

But when restriction internet access and allowing specific URL through Firewall ( Cisco Router 3725) I am getting certificate error page.

Also I am doing the tests from the same machine.

Please any hints.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39716867
Really, it has to be a DNS issue, or a redirection issue.  There are no IP restrictions on SSL certificates.

Are you testing from the same place, but simply removing the ACL, or are you testing from a different network?

It's quite common for the web site to use a different real hostname than what users on the internet see it as.  For example, your server could really be called web1.mydomain.internal but users on the internet would see it as www.mydomain.com.  To achieve this it's just a matter of providing a DNS record to point to the server, and having an appropriate SSL certificate with the same DNS name.  On the internal network though you wouldn't be trying to use the same URL as people on the internet, so you may see a certificate warning,
0
 
LVL 3

Accepted Solution

by:
cciedreamer earned 0 total points
ID: 39716924
Hi,

Thank you for response. The issue is resolved.

I contacted symantec and they advised me to open the following URL's instead of IP addresses

*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

Check below link for more info.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD596

Hope it will help others
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39726180
Solved on my own by contacting the vendor.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question