0

I have one of those notorious public websites for my company running on a third-party host that has the same domain name as our internal Active Directory domain network. So that our internal users can browse to that site, we have long had an internal A record for "www" that points to the external website's static IP address. That used to work. But now, if an internal user types "www.my-company.com", the browser throws an error "NET:ERR_CERT_COMMON_NAME_INVALID", crosses out the "https: in the URL, and prevents access to the site. The "advanced" error message says "This server couldn't prove that it's my-company.com; its security certificate is from .my-company.com. This may be caused by a misconfiguration or an attacker intercepting your connection."

I'm baffled. If I do an nslookup to internal DNS on "www.my-company.com", it correctly returns the website's public IP address. If the HTTPS wants a certificate, why is it not getting the certificate from the public site, rather than our internal domain server? Clearly, I don't understand something fundamental!

HighConcept
  • 1
  • Please edit your question to add detail on how exactly the certificates are different in your split-horizon DNS setup. Including the names entered into browser (www and not), IP it resolves to, the chain of CAs that signed it, and the cert's fingerprint. – John Mahowald Apr 11 '23 at 23:10

1 Answers1

0

Issue a certificate for DNS names example.com, www.example.com, and any other name for this web site. Use this certificate for https on all relevant web servers, both external and internal.

Some users will not remember www. in front. Unfortunately, to accommodate them it will be difficult to avoid web servers on AD DS directory controllers, if only to do a redirect. This is one of those internal web servers you might have, a hack to make things coexist even if the real hosting is external and not in your directory.

Add to your AD DS notes that the next time you build a domain, don't use the same domain name for internal and external. ad.example.com is a fine name, can exist with person@example.com email, and won't interfere with public web site example.com AKA www.example.com.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • You lost me at "Issue a certificate". www.example.com is hosted by a third party. The web server on our sole AD DS directory is configured but unused. I suppose giving it something to do -- "if only to do a redirect" -- is the simple hack for this low-traffic situation. – HighConcept Apr 15 '23 at 00:13
  • Edit your question to show the subject alternative names on the certificates as I asked. Every name the web site goes by should be on it, www. and without, probably. Repeat this for all relevant web servers, third party hosted included. If you don't manage TLS certs, tell them to fix it. – John Mahowald Apr 15 '23 at 15:16