question

AIDENTERZIU-1240 avatar image
0 Votes"
AIDENTERZIU-1240 asked MotoX80 edited

HTTPS and locally hosted webservers

I self host local websites that are externally viewable. This is an issue I have had from day one and I normally disregard it. I have a local Active Directory that has a zone for the domain that I use externally. These records only get hit internally for lets say I set up a webserver and I go and add it to my zone so that it lines up with what domain you would use externally as well as internally (eg IIS01.mydomain.xyz = 10.0.0.50 internally, IIS01.mydomain.xyz = 1.1.1.1 externally) I can when I am not connected to my network access those sites and have full HTTPS capabilities but when I do it internally I get hit with err_cert_authority_invalid unless I import the root cert file that cloudflare provides. Is it possible to completely mitigate that and have HTTPS work as intended? I think it has something to do with the DNS zone I have I am just not sure how else to route my sites internally without it

windows-active-directorywindows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello

The logical explanation is that since this computers are in the same domain environment will try to obtain a local certification validation from a domain CA, instead of online (this is due to preferred route mapping)

The most simple option will be to deploy the certificate through GPO to all present and future computers in the domain:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

Hope this helps ion your case,
Best regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered MotoX80 edited

unless I import the root cert file that cloudflare provides.

Are you using Cloudflare for content distribution? I helped implement Akamai to globally host our web sites some years ago, so please bear with me, some details are fuzzy.

In our case, the OurCompany.com DNS name was "owned" by Akamai and the IP resolved to some Akamai server depending on where on the planet the user was. Akamai then used a different name and certificate (I think) to access our web servers to pull static content, and route dynamic (ASPX) requests.

On the IIS01 machine check the IIS bindings and see what SSL certificate is assigned to the site. In order for your internal HTTPS to work, the site on 10.0.0.50 would need to use the IIS01.mydomain.xyz certificate.


It sounds like your site has a private Cloudflare cert assigned to it. I'm not a DNS expert, but to get that site to work internally you would need to route the IIS01.mydomain.xyz name out to the Cloudflare IP address.

I think you could use 2 different HTTPS bindings to the site. You would need a second IP address. Have one IP set to use the Cloudflare cert and another IP with the internal cert. You should ask Cloudflare for help on setting that up.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.