Solved

Verisign Changing IP Address

Posted on 2013-12-08
11
1,299 Views
Last Modified: 2013-12-18
Hello Experts,

We have purchased a VeriSign Certificate Class 3 for our webserver. Its installed and working

I opened some IP addresses on our firewall allowing port 443 and client inside our network our able to visit the website and revoke the certificate.

Now when the users access the web page it give the error. After some troubleshooting I realized VeriSign had changed the IP address and client can't  get through the firewall as the IP Address is not listed in the list of IP's allowed to get through

So my question is, how do I get clients to see VeriSign  without
opening the whole server to the internet, for obvious security reasons, so it
can see the revoked list on verisign.com using only IP Addresses?
1.jpg
0
Comment
Question by:cciedreamer
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39704857
I don't think that's a VeriSign issue, or an issue trying to reach the VeriSign websites.

You're trying to connect to the webserver with a URL or IP address that doesn't match what's in the certificate.

For example, if your server is called server.mydomain.local, but you're redirecting users through a firewall to use www.myserver.com you could have requested the certificate with the wrong hostname.  Or you could be using mulitple IP addresses on the web server and are redirecting through the firewall to the wrong one.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39704882
Hi,

Thanks for your reply.
Firstly when I open full internet access on client, I can access website with no issues.

I am sure we have no issues with URL.

Samir
0
 
LVL 61

Expert Comment

by:btan
ID: 39705119
The webserver name should be corresponding to the common name of the server's fqdn as the error is saying that. But if you done that alright internally (probably not via your perimeter fw) then likely the fw or down the chain for those user out of the internal zone is not accessing the right server or dns redirected them somewhere. Another there is certain blacklist hit at the appliance. From a port 80 or 443 perspective, Fw should not be blocking if you are hosting a web server in your dmz for your user coming in from public or remote
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39706168
I would agree with craigbeck, also the screenshot suggests the same. "The security certificate presented by this website was issues for a different website's address."

So it has something to do with the URL address.

You have also mentioned that if you open full internet access on client it works, so did you tried accessing it from different locations? Are you getting the same error from anywhere else?

Sudeep
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39706637
No I not error anywhere accept where the client has restricted access.

I have no problem accessing from home, mobiles and other wifi hotspot.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Expert Comment

by:btan
ID: 39707379
Would the internal end resolving the common name if you do a nslookup from the internal client? Likewise any issue doing the reverse lookup. Also is there alternate name fot that certificate instead
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39707486
I think you're going to be using a different hostname internally, such as the internal hostname of the server, and not the public DNS name.

Do you have split-DNS or a CNAME record for your server?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39716490
Dear Experts,

I want to clarify simple thing.

Why with full internet access ( no restrcitions, no acl ) I am able to access the URL

But when restriction internet access and allowing specific URL through Firewall ( Cisco Router 3725) I am getting certificate error page.

Also I am doing the tests from the same machine.

Please any hints.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39716867
Really, it has to be a DNS issue, or a redirection issue.  There are no IP restrictions on SSL certificates.

Are you testing from the same place, but simply removing the ACL, or are you testing from a different network?

It's quite common for the web site to use a different real hostname than what users on the internet see it as.  For example, your server could really be called web1.mydomain.internal but users on the internet would see it as www.mydomain.com.  To achieve this it's just a matter of providing a DNS record to point to the server, and having an appropriate SSL certificate with the same DNS name.  On the internal network though you wouldn't be trying to use the same URL as people on the internet, so you may see a certificate warning,
0
 
LVL 3

Accepted Solution

by:
cciedreamer earned 0 total points
ID: 39716924
Hi,

Thank you for response. The issue is resolved.

I contacted symantec and they advised me to open the following URL's instead of IP addresses

*.verisign.com
*.thawte.com
*.geotrust.com
*.rapidssl.com
*.digitalcertvalidation.com
*.ws.symantec.com

Check below link for more info.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD596

Hope it will help others
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39726180
Solved on my own by contacting the vendor.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now