If the server has FQDN as its certificate common name (no alternative name used), is there a way to access it with short name without causing certificate verification error? Thanks.
no.
If the the the fqdn is www.example.com, the certificate is for www.example.com and no other names, but you access it as example.com, you will get a certificate error because the names do not match.
Related
Sorry if the question is too basic.
I want to set up SSL on my EC2 instance, let us say foo.us-west1.compute.amazonaws.com. And I want to create a record set of type A to point a subdomain at my EC2 instance, let us say sub.foo.com. When I am creating a SSL certificate, which one of the two domains do I have to use?
I'll be saving the certificate and key on the ec2-instance and be configuring NginX to use those keys.
The subject of the certificate must match the domain from the URL used to access the site. Neither IP address matter nor DNS domain alias (CNAME) - all what matters is the domain name used in the URL since this is used by the client to verify the certificate.
I'm trying to do this:
https://dummiesite.com --> http://dummiesite.com
and
http://dummiesite.com --> http://new.dummiesite.com
and
http://new.dummiesite.com --> https://new.dummiesite.com
So no matter what site the user goes, it will allways be redirected to https://new.dummiesite.com
The problem:
With I have a wildcard certificate for *.site.com. But it is only valid for all the subdomains of site.com, not for site.com itself. With lighttpd I cannot use more than one certificate per IP (I have only one), so when the user goes to https://dummiesite.com, it gets an error because the certificate is not valid.
That is why I'm trying to redirect https://dummiesite.com to http://dummiesite.com. How can I do it without a valid certificate and without showing the user errors?
Thanks for your help
You can't with the current certificate. HTTPS is HTTP inside an SSL tunnel, so before you can do the redirect at the HTTP level the SSL connection has to be established. But this fails because your certificate does not match the hostname. You need to get a certificate which includes both *.dummiesite.com and dummiesite.com (yes, this is possible).
If a website is being redirected, does the original domain name need to have an SSL certificate, or the redirected domain name or both?
Both, because the redirection is an HTTP-level thing which happens inside the SSL envelope. The client needs to establish an SSL connection to the original host name before it sees the redirect, then after following the redirect it must establish another SSL connection to the target host name.
If you're redirecting between the www and non-www forms of the same domain, it's often the case that one certificate will cover both (using the "subject alternative name" mechanism). For example, I have a site with a certificate from RapidSSL, and when you ask them for a certificate securing www.example.com they automatically issue it with a SAN for the plain example.com form included. I have a single Apache HTTPD with two name-based virtual host definitions on the same IP address pointing to the same certificate.
I am trying to consume a HTTPS based SOAP WebService via ColdFusion, but it is returning "Connection Failure".
On dumping the result variable, it showed:
Error Detail: "I/O Exception: Name in certificate 'subdomain1.domain.com' does not match host name 'subdomain2.domain.com'"
I can ignore such warning if I browse the HTTPS wsdl in browser, But the Question is; How can I bypass this warning using <CFHTTP>?
Thanks
Better solution is to have the host of the service. Get a proper SSL certificate for that subdomain or a wildcard certificate that will allow them to have as many subdomains as needed with a single certificate.
I have been looking for a solution to this as well (a well-known payment gateway provider has an SSL issue on their server I have to work around). One solution I came up with was to put an entry into the server's hosts file and set it to the IP address of the hostname the SSL certificate was using. Fortunately their web server just accepts connections based on IP rather than hostname, so I was able to fool my server into thinking that I was connecting to the "proper" hostname published in the SSL cert and override the IP for that hostname in the public DNS. A way to tell Java that the name mismatch is "okay" would be nice though.
I want to redirect all my browser request to abc.com when a request is sent to xyz.com
I was able to do this by adding an entry in the hosts file under windows.
However I see that i can go to http://abc.com when i type in http://xyz.com:8080
but I cannot seem to get the same redirection over https.
I found out that you cannot mention ports in the host file.
Need some help on this
HTTPS is specifically designed so that you can't do this - not only is one of the core points of SSL/TLS that the conversation be encrypted, it also ensures that you really are talking to who you think you are, that you haven't been redirected to a fake site via DNS.
That's not what the hosts file is for. It's about the hosts that you are referring to. abc.com and xyz.com are hosts.
All the hosts file does is associate a host name with an IP address. Nothing else is possible.
Get a clone of the part you need from the genuine site.. put it on local iis, add ssl binding using self signed certificate and add entry to hosts file.http://www.selfsignedcertificate.com. if you are in rush with no time to play with iis mgr use appcmd.
Youll get a not verified warning for untrusted issuer.. add it to trusted root cert authorities. http://www.robbagby.com/iis/self-signed-certificates-on-iis-7-the-easy-way-and-the-most-effective-way/
Never tried self signed cert tho.. let us now how your testinggoes.
A hosts file is DNS, which is used to resolve a domain name to an IP addresses, which has nothing to do with ports.
If you redirect from https://abc.com to https://xyz.com then they will need to be different servers with different certificates, as an SSL certificate is bound to the domain name.
Which means if you use your hosts file to lookup the ip address of abc.com when you try https://xyz.com then it wont work as the certificate will be for abc.com and wont match the hostheader https://xyz.com sent by your browser.
If you are using windows command for routing:
netsh interface portproxy add v4tov4 listenport=listen_port listenaddress=any_free_ip_address connectport=localhost_port connectaddress=127.0.0.1
The default port for http request is 80 so if one is using https use 443 as it is the default for https
With HTTPS, it'll be to do with the security certificate - likely you can't get around that, or at least ... I hope not.
Putting an entry in your hosts file only associates your human readable host name with an ip address, the rest happens in the application that makes http requests.
parts of uri on wikipedia:
https://upload.wikimedia.org/wikipedia/commons/thumb/d/d6/URI_syntax_diagram.svg/1068px-URI_syntax_diagram.svg.png
When ever an application makes a request for a resource, let's say your browser, turns what you type for address into a proper uri, which includes scheme.
If you don't type https, or leave the scheme out, you get http. You end up still getting https for some sites, because they use ssl redirection, maybe something like this: https://www.linkedin.com/pulse/how-use-nginx-reverse-proxy-https-wss-self-signed-ramos-da-silva/?articleId=6678584723419226112
Use nslookup xyz.com and get IP
then put this IP to hosts (/etc/hosts in Linux)
the https domain name must transform to IP from