The DNS situation is this:
- example.com. origin A record to 10.9.8.7
- www.example.com. is a CNAME to fred.example.com
- fred.example.com A record 10.9.8.7
- mail.example.com A 10.9.8.7
the certificate has
- subject: example.com
- subject alternate names;
- DNS Name=mail.example.com
- DNS Name=example.com
- DNS Name=www.example.com
The client must have some sort of extra site-wide policy which I can't inspect or even ask about, where they make their people's web browsers reject sites they consider insecure. In our case, the people end up being able to access https://www.example.com just fine, but not https://example.com, even though that's the subject of the certificate!
I cannot reproduce this problem anywhere, because there is no real issue. So I am asking here if you know the latest hyper-vigilant site security gizmos which big corporations are deploying that then come to these incorrect suspicions?
The only thing I can think of changing on my side to accommodate this problem is to straighten out my DNS, simplifying it. Perhaps I should have said:
- example.com. origin A record to 192.0.2.1
- www.example.com. is a CNAME to example.com
or perhaps I should use no CNAME at all and just make separate A records to the same IP address for all those synonyms?
Would that have prevented the paranoid site security thing from blacklisting one of those addresses, perhaps?
PS: I have run a full SSLlabs.com test, and we get an "A" rating. The only minor warnings are
- DNS CAA No
- IE 11 / Win Phone 8.1 R Server sent fatal alert: handshake_failure
- Safari 6 / iOS 6.0.1 Server sent fatal alert: handshake_failure
- Safari 7 / iOS 7.1 R Server sent fatal alert: handshake_failure
- Safari 7 / OS X 10.9 R Server sent fatal alert: handshake_failure
- Safari 8 / iOS 8.4 R Server sent fatal alert: handshake_failure
- Safari 8 / OS X 10.10 R Server sent fatal alert: handshake_failure
The few exceptional browser handshake issues are certainly not the issue, now DNC CAA might be interesting. But it would affect both example.com and www.example.com