Can someone answer a simple SSL Cert question for me to derisk my decision?
My Stack: Bitami WordPress instance on GCP VM.
Situation
I have a website with an SSL cert linked to my domain name.
I started an instance with a new static IP address.
I remapped the domain name to the new servers and added the correct credentials [confirmed everything is configured correctly with the GCP team].
Ran -dig command and confirmed new instance is mapped to the domain name.
Problem
The domain name will not load in the browser. Get the "NET:: ERR_CERT_INVALID" message.
My Diagnosis
I haven't transferred my SSL to my new IP address.
Confusion
Everywhere I read says the SSL is mapped to the domain name, not the IP address itself. So theoretically there should not be an issue.
Question(s) to you
Do I solve this simply by generating new SSL cert on the new instance? Will that just overwrite the old SSL cert and map my domain name to the new SSL cert?
If not - what's the solution?
I don't understand the technical relationship between IP address, domain names, and certs. I have read as much as I can and everyone seems to talk around it but not explain it in detail.
Thanks in advance!
Bitnami Engineer here,
If you created a new instance from scratch, you will need to migrate the SSL certificates from the first instance to the second one. You can either copy the SSL certificates from the machine or download them again from the CA website and substitute the files you have in the /opt/bitnami/apache2/conf folder.
In case you were using a Let's Encrypt certificate, you can generate new certificates by using the Bitnami HTTPS configuration tool (/opt/bitnami/bncert-tool) or by running the CLI tool to generate new certificates. If you use the Bitnami HTTPS configuration tool, you won't need to modify the Apache's configuration, the tool will do that for you. You can learn more about it here
https://docs.bitnami.com/google/how-to/understand-bncert/
Please remember to confirm that the domain name is configured properly by checking your domain using this online tool before trying to generate the certificates
https://www.whatsmydns.net/
New problem.
I used the bncert tool as per Jotas recommendation and it worked well.
I checked my domain name via 'whatsmydns' as well as my SSL via an SSL checking tool. All worked out as expected - my IP address is matching against my Domain name and SSL is matching against my domain name.
I type my domain name into the browser and it loads my site with the padlock, across all browsers.
So from the outside - it looks like everything is fine.
But I have two issues still.
Problem #1:
In my WordPress 'general>settings', I tried to update my 'WordPress address' and 'site address' but they are greyed out. So I updated my wp-config file with the new https addresses as per these instructions which have worked for me before without issues (https://www.wpbeginner.com/wp-tutorials/how-to-change-your-wordpress-site-urls-step-by-step/). It didn't break the site, but I could no longer log in. As soon as I deleted the new wp-config code, I could log in again. So if that won't work, I now have no course of action to update my 'WordPress' and 'site' addresses.
So my questions are - do you know why this won't work? Is it a bitnami quirk? And does it matter? If the domain is working, does it matter if I keep the wp-config file as an http address and not an https address?
Problem #2:
My domain name takes me to my site at the correct IP address. It loads with a secure padlock icon. I can log in. Everything works as it should.
If I use the IP address, however, instead of the domain name, it also loads the same site but as an insecure site with no padlock.
Question - Any idea how that is possible? I thought a domain name was just a human-friendly version of an IP address. And if the webserver is a single server, how can using a domain name versus an IP address generate different front end results?
Thanks again team, as a person who is new to this community, it really does give you faith in humanity.
Related
Just trying to set up SSL https for my site, using the Bitnami Tool bncert-tool. It shall automate the SSL setup by naming the domain. Unfortunately, I get the message
Warning: The domain 'mypage' does not resolve, please fix its DNS entries or remove it.
Press [Enter] to continue:
Thing is, I can get to the page via domain name and the IP. So no Problem on that side.
I have no clue! I have set up an elastic IP in EC2 and connected the domain in Route53 by adding the dataset. Has some faced the problem before and cases.
From the warning message, 'mypage' is not a domain. Actually have to enter in the full domain path such as
www.google.com
or
google.com
Good luck.
I have already rent an online server.
I'm installing IIS on it, hosting a website on it.
to access the site from internet, I must type: {ipaddress}/siteAppName
My question is how to use a name instead of ip address? should I buy and register a new domain name? if that the case how could I configure this ip with a new domain name?
More Details:
I am renting a dedicated server... so I have full access to the server as I'm hosting my website on it. but I don't have a domain name. either from local machine or remotely I can successfully access the hosted website using the ip address of my server/webAppName.. but the problem is that I'm trying to get ssl certificate, but the generated CSR is rejected from all SSL suppliers because the url is not accepted, and I think that it's not accepted because of using IP instead of a domain name. I mentioned many self-conclusions here, but I'm not sure about any of them... That's why I'm asking.
It depends on your hoster but most allow you to use a registered domain name. They should have instructions on how to set this up.
I have installed WordPress on a subdomain that currently resides on an unpropogated domain. (It can only be accessed via IP address.) Is it possible for me to access any subdomains that have been created, eg: subdomain.mysite.com/wp-admin via IP, or do I have to wait till the domain has been propogated?
This is my first question, I apoligize if I have not explained my self thoroughly enough. Thanks in advance for any help.
you can use http://[IP]/~[username]/[domain.tld]/ to access your site by IP.
Where [IP] is the IP of your server and [username] is your username for the hosting site. [domain.tld] is the name of the folder on which you have mapped your subdomain.
You may be able to check it with an anonymous proxy?
I use http://anonymouse.org/anonwww.html to check sites as in Australia it normally takes a little longer to propagate over to here.
Please note: You will only be able to check it's existence, you would not use this to make site modifications through the back end. That would best be done once the domain propagates.
Hope this helps ;)
I'm pretty new to the https world, so bear with me.
There are 2 web-servers involved:
Webserver1 has been in the organization a few years and is hosting/running multiple websites with https encryption (app1.ourcompany.com, app2.ourcompany.com, etc). It has a valid, signed certificate.
Webserver2 is a new server, for which I am responsible. I am tasked with setting up https and getting the certificate, etc. It has a web app running on it, but it does not have a domain name (only has an IP address)...which as I recently learned, is a requirement for a signed certificate.
What I'd like to know is this -- is it possible to set up a site on Webserver1 that points to the site I'm hosting on Webserver2 (ie SiteOnWebserver2.ourcompany.com) which also utilizes the Webserver1's signed/verified certificate?
Thanks for your time, SO gurus!
--Dan
A regular SSL certificate is valid for only a single domain name (such as app1.ourcompany.com). If this is the type of certificate currently being used then the existing SSL certificates will not work on your new server. If you did try this you would get an error in the browser saying that the site's domain name doesn't match the name in the SSL certificate.
The other option is to use a wildcard SSL certificate. These kinds of certificates are assigned to a certain parent domain (like ourcompany.com) and will work for all subdomains. This kind of certificate would work for app1.ourcompany.com, app2.ourcompany.com, as well as your SiteOnWebserver2.ourcompany.com.
I'm setting up a (ASP.NET) website to be used internally at my company. In IIS, I've turned on Integrated Windows authentication and turned off anonymous access. Once I've done this, the website pops up the "enter your username/password" box whenever you visit the site, but won't log you in even if the username/password are correct. This happens even if you're logged in to your computer with a domain account as opposed to a local account.
However, if I enter the IP of the site in my hosts file, the site works perfectly (logs the user in without the additional challenge).
I guess I have two questions.
1) Why does the hosts entry have this affect?
2) How can I get the site to succeed without a) forcing everyone to edit their hosts file or b) the site challenging them and failing to log them in?
EDIT: I checked, and we do have our DNS server set up to point those URLs to the correct servers. That's why pinging the URL displays the right IP. However, it appears that in addition to having that DNS entry, we also have to have the hosts file entry for the site to work.
You probably are having an issue with Kerberos authentication.
Since you're using a url of Site.DomainName.com, I'm assuming DomainName.com is your AD's name also.
On the server that's running IIS, copy SetSPN.EXE from the resource kit tools and run the following:
setspn -A http/site.domainname.com IISServerName
Where SITE is your URL and IISServerName is the name of the server.
This sure sounds like a dns problem. Does the dns server know about the hostname you are using? Sounds like the dns server does not know the forward lookup (hostname to ip) for the host you are trying to connect to.
We recently set up an intranet site with windows authentication here. The network guys setup a group policy and pushed changed to IE and Firefox.
For IE, it added the site to "Intranet Sites" and for Firefox it modified the configuration file so that our intranet..com would be trusted.
So... we got it to work. Here's what happened.
While looking around at the DNS Manager on test.DOMAINNAME.com, my coworker noticed that a different site on the same server was set up as a "Host (A)" entry, whereas the site we were working on was set up as an "Alias (CNAME)" entry. Several other sites on that computer were also set up as Alias entries, and he mentioned that the one site with the Host entry was "rock-solid", and he'd had sporadic issues with at least one other site that was set up as an Alias.
We talked to the AD/DNS admin, and as a test, he switched our entries from Alias to Host, and once we cleared our local DNS caches, it worked perfectly (without requiring entries in our .hosts file).
So the question still sorta stands. This was a Win2k3 box serving as one of three internal DNS servers, and making this modification fixed our problem. If anyone can add any additional information, we'd be very grateful, but in the meantime, we're debating going back and fixing all our other sites.