0

I will list down point wise scenario .

  1. We have one app is running in current production say on URL 1 .
  2. Now we are setting up our app to new infra on new URL say URL2 .
  3. We have over 50k+ customers using our old url and we dont want to ask to our customers to change the URL .
  4. Apart from app access from browser customers are hitting our app via rest api on https connection with certificates if old URL i.e URL1
  5. We have changed the target (DNS change-CNAME) of our old URL and now when some one is hitting OLD url they are connected to new migrated app .
  6. SAN For URL2 certificates contains both URL1 and URL2 name .

Problem :

The customers who are using rest api calls are now failing due to certificate problems they have certs of old URL which are not working any more and we can not ask 50k+ plus customers to install new certs . Installation of new certificates may require customer application restart which is not an feasible scenario .

How can we resolve this issue ? Or if there is any other way we can resolve this problem ?

Deepak
  • 2,287
  • 1
  • 23
  • 30
  • *we can not ask 50k+ plus customers to install new certs* What cert are those customers using? Did you give them all something like a self-signed certificate that has your old hostname as a Subject Alternate Name? But your new server uses a different server certificate? If so, "we can not ask 50k+ plus customers to install new certs" is exactly what you have to do because they're using your old cert as a trusted certificate - and that won't work with your new one. Whoever made the decision to distribute a self-signed cert has now learned why that's a bad idea. Oops. Get a real cert this time. – Andrew Henle Jul 15 '21 at 16:34
  • @AndrewHenle Thanks for your comment Andrew , No we are not using self signed cert . Yes you are correct currently customers are using certs of old Load Balancer (URL1) . Can we update same old cert to our new LB (URL2) in this case Should it work ? – Deepak Jul 15 '21 at 16:51
  • No, you can't update a certificate. You can't change anything with a certificate, and if you could you'd have to ask those customers to change to the new one. If your old certificate isn't a self-signed certificate, what certificate authority signed it? That authority is what I assume your customer's REST clients currently trust. If you've told your customers in the past "Use this truststore for your REST client", you now have no choice but to have those customers use a new truststore in order to access your new URL. That old certificate and truststore is likely only good for the old URL. – Andrew Henle Jul 15 '21 at 16:55

0 Answers0