SOLVED
Home

Getting certificate error warning when accessing server using its internal IP over VPN

%3CLINGO-SUB%20id%3D%22lingo-sub-951828%22%20slang%3D%22en-US%22%3EGetting%20certificate%20error%20warning%20when%20accessing%20server%20using%20its%20internal%20IP%20over%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951828%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22votecell%20post-layout--left%22%3E%3CDIV%20class%3D%22js-voting-container%20grid%20fd-column%20ai-stretch%20gs4%20fc-black-200%22%3E%3CDIV%20class%3D%22js-favorite-count%20mt8%22%3E%3CSPAN%3EI've%20given%20my%20web%20server%20an%20SSL%20certificate%20from%20my%20own%20CA.%20the%20certificate%20has%20(Server%20and%20client%20authentication%20in%20addition%20to%20IP%20security%20IKE%20because%20i%20use%20the%20same%20certificate%20for%20my%20SSTP%20VPN%20Server).%20certificate's%20subject%20name%20(Type%3DCN%20Common%20name)%20is%20the%20external%20domain%20name%20that%20points%20to%20my%20server's%20public%20IP%20address.%20In%20certificate's%20alternative%20name%2C%20I%20set%20it%20to%20DNS%20type%20and%20added%20the%20server's%20local%20domain%20name%20(server-2.test.local).%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22postcell%20post-layout--right%22%3E%3CDIV%20class%3D%22post-text%22%3E%3CP%3Eso%20when%20I%20type%20in%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Eexternal%20domain%20name%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Einto%20a%20browser%20of%20a%20non-local%20computer%2C%20my%20test%20website%20from%20that%20server%20loads%20fine%20over%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EHTTPS%3C%2FSTRONG%3E%2C%20no%20certificate%20error%20whatsoever.%3C%2FP%3E%3CP%3Ebut%20when%20I%20first%20connect%20to%20my%20local%20network%20using%20SSTP%20VPN%20(VPN%20host%20name%20is%20the%20same%20as%20the%20external%20domain%20name%20that%20points%20to%20my%20server's%20public%20IP%20address)%2C%20and%20then%20once%20i'm%20connected%2C%20I%20try%20to%20use%20the%20local%20domain%20name%20of%20my%20server%20in%20the%20browser%2C%20i%20get%20this%20certificate%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3ENET%3A%3AERR_CERT_COMMON_NAME_INVALID%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20server%20couldn't%20prove%20that%20it's%20%5Bserver's%20local%20domain%20name%5D%3B%20its%20security%20certificate%20is%20from%20%5Bserver's%20external%20domain%20name%5D.%20This%20may%20be%20caused%20by%20a%20misconfiguration%20or%20an%20attacker%20intercepting%20your%20connection.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhat%20am%20i%20missing%20or%20doing%20wrong%3F%3C%2FP%3E%3CP%3Ei%20don't%20know%20if%20it's%20related%20but%20on%20IIS%20server%2C%20I%20have%20set%20a%20rule%20to%20redirect%20HTTP%20to%20HTTPS.%3C%2FP%3E%3CP%3Emy%20question%20is%20not%20a%20duplicate%20of%20the%20other%20one%20linked%20here.%20that%20question%20is%20not%20about%202%20DNS%20names%20(one%20local%20and%20one%20external)%20it's%20about%201%20DNS%20name%20and%201%20localhost.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-951828%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-951870%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20certificate%20error%20warning%20when%20accessing%20server%20using%20its%20internal%20IP%20over%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951870%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20seems%20that%20you%20certificate%20does%20not%20contain%20the%20IP%20as%20a%20SAN.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20please%20take%20a%20look%20at%20this%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fserverfault.com%2Fquestions%2F641504%2Fssl-on-iis8-5-working-with-named-url-but-localhost-results-in-err-cert-common%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fserverfault.com%2Fquestions%2F641504%2Fssl-on-iis8-5-working-with-named-url-but-localhost-results-in-err-cert-common%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-951917%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20certificate%20error%20warning%20when%20accessing%20server%20using%20its%20internal%20IP%20over%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951917%22%20slang%3D%22en-US%22%3Ethank%20you.%3C%2FLINGO-BODY%3E
Kirin990
New Contributor
I've given my web server an SSL certificate from my own CA. the certificate has (Server and client authentication in addition to IP security IKE because i use the same certificate for my SSTP VPN Server). certificate's subject name (Type=CN Common name) is the external domain name that points to my server's public IP address. In certificate's alternative name, I set it to DNS type and added the server's local domain name (server-2.test.local).

so when I type in the external domain name into a browser of a non-local computer, my test website from that server loads fine over HTTPS, no certificate error whatsoever.

but when I first connect to my local network using SSTP VPN (VPN host name is the same as the external domain name that points to my server's public IP address), and then once i'm connected, I try to use the local domain name of my server in the browser, i get this certificate error.

 

NET::ERR_CERT_COMMON_NAME_INVALID

 

This server couldn't prove that it's [server's local domain name]; its security certificate is from [server's external domain name]. This may be caused by a misconfiguration or an attacker intercepting your connection.

 

 

what am i missing or doing wrong?

i don't know if it's related but on IIS server, I have set a rule to redirect HTTP to HTTPS.

my question is not a duplicate of the other one linked here. that question is not about 2 DNS names (one local and one external) it's about 1 DNS name and 1 localhost.

 

 

3 Replies
Solution

Hi there,

It seems that you certificate does not contain the IP as a SAN.

Also please take a look at this:

https://serverfault.com/questions/641504/ssl-on-iis8-5-working-with-named-url-but-localhost-results-...

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies