SSL certificate problem when attempting to access company Public Website from internal company PC - same domain space

My company uses the same domain internally and externally. The internal Windows domain is and the company’s public website is

A WWW A record on the internal Windows DNS server points to the public IP of the hosting server to allow  staff to access the public website.

Both internal and external users can access HTTPS:\\

However, when internal clients try to access https:\\\wp-conten\ a certificate error occurs – NET::ERR_CERT_AUTHORITY_INVALID (External users do not have this problem).

If I change an internal PC to use  DNS (Goodle DNS) all works fine.

I think this is related to resolving to an internal private IP when accessed from an internal PC and resolving to the public IP of the hosting server when accessed from an external PC.

Attached are the certificates returned when accessed internally and externally.
ADJ WorldSysAdminAsked:
Who is Participating?
Your test of using Google IPs was on the right path, but you tested the wrong thing
What you need to do is run nslookup of each of the hostnames using internal name servers recording where it points.
Then look on the internal system to which these names resolve, and make sure the same certificates are installed.

The other option, while using the internal DNS, access and view the certificate that is presented.

Sounds as though you have one site being accessed from the inside (points to an internal ip) while the external access points to a public ip that lands on a different system or hits the public hosted site elsewhere.

This is common when the AD uses a public domain, I.e. versus mydomain.local or private......
it seems that wherever you accessing web site internally your web site public certificate is replaced with some firewall / proxy or more ever actual hostname of server

Can you check when internal user access web site, and when they get errors, what is the url you seen in web browser?
ADJ WorldSysAdminAuthor Commented:
Sorry, https doesn't work at all internally -  Internally OK - SSL cert error

(both URL's work fine externally)

The URL internal users see is when the SSL error.  

Internally resolves to the Public IP of the Host while resolves to a company domain controller.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Ashok DewanFreelancerCommented:
Issue could be like that. Few months ago, I created website and also certificates to provide security via SSL.
I created below website.
example :-

When I accessed above website with ->> everything was fine
But when I accessed above website with ->> I got SSL error

Then I captured traffic with wireshark to get knowledge why I do not receive error in both cases when I open and
Solution:- in facebook public's key, they added their subdomain names as "Subject Alternative Name" such as, etc.
if I open with any name or without WWW then I don't receive error.
Ashok DewanFreelancerCommented:
Sorry, but may be in your case ROOT CAUSE could be different

To correct my error, I added * and in "Subject Alt Names" in certificates
how many IPs you have with web server internally?
also how many www records do you have with internal dns pointing to
from website certificate bindings, ensure that you have only one binding for 80 and one binding for 443
rest of all bindings should be removed and only single Ip should be binded to public cert for SSL traffic
It sounds that web server have multiple IPs and self signed server cert is binded to one of those IPs and when www URL resolves to that IP, it getting cert error.
you will also get error when you enter "" as it will resolve to DC?
ADJ WorldSysAdminAuthor Commented:
Thanks for the responses. The issue ended up  being easy and I don;t know how I didn't spot it to begin with.

The internal DNS was resolving directly to the Public IP of the hosting server, while Internet DNS was resolving to a security proxy service called CloudFlare, CloudFlare provided the SSL encryption to the browser but actually connects to the hosting server,  which  uses a self signed certificate - CloudFlare 'ignores' the  CA warning.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.