3

I am configuring a server that has both a public and private IP. It doesn't have any associated domain names.

Using a self-signed certificate to access the URL below works properly:

    https://<PUBLIC IP>:8443

However, when I try to access that server using its private IP:

    wget https://<PRIVATE IP>:8443

I get the following error:

ERROR: cannot verify 's certificate, issued by '/C=?/ST=?/L=?/O=?/OU=?/CN=Unknown': Self-signed certificate encountered. ERROR: certificate common name 'Unknown' doesn't match requested host name ''. To connect to insecurely, use `--no-check-certificate'.

Is there a way to specify in the configuration that both public and private IPs should be accepted?

I also tried including multiple connectors in server.xml containing the address attribute but it doesn't work.

jackeblagare
  • 158
  • 4
  • How are you accessing the public URL? `wget`, or a browser, or what? – MadHatter Nov 03 '15 at 09:02
  • I've tried it using wget, a browser, and from a PHP script. They all work. The private IP is another matter though. – jackeblagare Nov 03 '15 at 09:09
  • Understood. Of the methods that work with the public address, which fail with the private (apart from `wget`, which you've already been clear about)? – MadHatter Nov 03 '15 at 09:10
  • It cannot be accessed from within a PHP script. Accessing the private IP using a browser is not applicable in this case. – jackeblagare Nov 03 '15 at 23:58

2 Answers2

1

I think you've got two fundamental problems here. Firstly, while Windows (as far as I know) implements a central certificate storage-and-validation mechanism, which applications generally call to (e.g.) validate an SSL certificate, UNIX apps all roll their own. So just because one browser works, it doesn't mean another browser, or wget, will - and what a PHP script will do is a complete mystery, and entirely dependent on the library in question.

Secondly, you've decided to go with an SSL certificate that embeds an IP address instead of a hostname, and we've had problems doing that before, around these parts.

My own feeling is it's not a good use of qualified time to continue trying to make this strategy work. Instead, register a domain name - they cost next to nothing, and are usually easier to type than ip addresses - and set up split-horizon DNS so that internal clients get the internal address, and external clients get the external one. That removes both of your problems in one swoop.

Community
  • 1
MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • I agree. I was able to resolve it but it's just a band-aid solution. The solution was to force PHP to be a little forgiving with verifying the SSL certificate. It's not the best solution but it should do for now. – jackeblagare Nov 06 '15 at 02:38
  • Well, feel free to accept this answer is it's the one you'd like to go with! You do that by clicking the "tick" outline next to it, and that drives SF's reputation system for both of us; my apologies if you already know the etiquette. – MadHatter Nov 06 '15 at 08:16
0

It seems that you are trying to access the server both from the Internet (using NAT) and from an internal LAN (directly), and this is the reason why you use two IP addresses. If it is the case, look at a similar situation and how to make your server available by the public IP both from the Internet and the LAN:

Cisco static NAT not working on LAN side

and thus avoid certificate mess. (Look for the solution with secondary IP.)

Community
  • 1
Sergio
  • 164
  • 9