0

Maybe it's a dumb question but I don't know how to solve this: we've got a web server with an SSL certificate for its domain. I can view this site, correctly from anywhere but when we are at the office, inside the intranet. When I connect a PC to their WiFi or wired network I get an invalid certificate error, but when I'm connected from outside world I see it perfectly. What do I need to configure/add to the network to make it use Internet and not the intranet to get to the domain? I would appreciate your suggestions. Thank you in advance.

Edit: I'm running an ownCloud instance on a webserver, and it has Let's Encrypt SSL certificate. When I point a browser from outside the intranet I see the https working perfecly. When I do it from a device inside the network, even though I use the domain name (just the same address I use from outside) I get a self-signed certificate notice. It doesn't matter what OS I'd use, but anyway I test it using my Linux laptop and another running Windows.

Damon Hill
  • 77
  • 2
  • 13
  • 2
    It may help to clarify what type of error you are getting when accessing from within their network. Do their machines trust the Certificate Authority? If the issuer is not in the Trusted Root CA's then that could be a reason (I'm assuming the clients being used are Windows machines.) Is the internal site on the same web server or do they have a different internal web server that doesn't have the certificate installed etc. Do they use the server name and not the FQDN when trying to browse internally etc. – Enigman Dec 07 '16 at 06:48
  • Possible duplicate of http://serverfault.com/q/55611/214507 but I can't be sure based on the information you have provided. – kasperd Dec 11 '16 at 18:54

2 Answers2

5

Your internal DNS will need to be able to resolve the URL as per the certificate. If your internal DNS is different or resolving to a host name internally, the certificate will come up as invalid.

If you can control your internal DNS for external resolution, set the IP address for the URL internally as the external IP address.

Hope this makes sense.

Tim Haintz
  • 486
  • 1
  • 3
  • 8
  • Excuse my clumsiness but I don't understand your explanation. What do I need to do? – Damon Hill Dec 09 '16 at 00:50
  • 1
    Your certificate will have a name associated with it. From internal, you need to make your internal resolution match your certificate name. If you have the same DNS namespace internal and external, you should just be able to add a CNAME to the existing host of the webpage. If you have a different DNS namespace for example, company.com (external) and company.local (internal) you need to get your internal users to see certificatename.company.com. Otherwise, they will be seeing certificatename.company.local. I have used certificatename as opposed to the URL of the actual name. – Tim Haintz Dec 10 '16 at 07:01
  • E.g: I've got the SSL certificate for this domain mycloud.ml that's pointing to 190.64.64.64. Internally I also use mycloud.ml and you tell me that it resolves to 192.168.0.206 (the internal IP). How can I do to force to use the external IP? The hostname is owncloud.mycompany.com.uy and has nothing to do with the cloud.ml domain. What CNAME should I have to add? I'm really confused! – Damon Hill Dec 11 '16 at 12:18
  • 1
    Hi Damon, does your certificate have Subject Alternative Names? If the certificate is for mycloud.ml and your internal domain is mycloud.ml, you should just need the correct Common Name in DNS and it will resolve. When you browse to the site internally and view the certificate, what certificate are you getting and what error(s) are you getting? When you browse from externally, what certificate are you getting? Is owncloud.mycompany.com.uy what you browse to externally? Can you also browse to this internally? Thanks, Tim. – Tim Haintz Dec 11 '16 at 18:35
  • Hey Tim, no, the certificate have just one domain name mycloud.ml. The internal network has another domain that has nothing to do with this. When I browse to the site internally I view a self signed certificate with the corresponding browser's security warning. When I browse externally I get the correct Let's Encrypt Certificate. In both cases I browse to mycloud.ml. It's like when I browse internally the requests were fowarded to the local IP, not the external one. It has to be some setting on the router, I guess... Thanks for your help! – Damon Hill Dec 13 '16 at 07:13
  • 1
    Hi Damon, see if within your internal DNS you can change the IP address of mycloud.ml to the external IP address. You might need to do some routing depending on if you can get out and come back in again. It sounds like the website is being hosted on two different IP addresses? I assume the external one is NATed to an internal IP address and that is the one the certificate is on. It sounds like internally, you may also have another IP address or the resolution isn't the same name as the certificate. Good luck, hope I have been of some help. Thanks, Tim. – Tim Haintz Dec 13 '16 at 10:48
  • Looks like the problem is the firewall. We're using a sophos XG 125 firewall and I read on Sophos forums that I had to manually add the certificate to the firewall. That's not possible because I'd have to do it every 90 days (Let's Encrypt). So I'll try to give this server another public IP, that was not managed by this firewall. – Damon Hill Dec 19 '16 at 21:50
2

If your External and Internal URLs are same, then there might be Firewall or Proxy is creating this "invalid certificate error".

Try to install your SSL Certificate in Firewall or Proxy if its required.

Jake Adley
  • 137
  • 4