SOLVED

Getting certificate error warning when accessing server using its internal IP over VPN

%3CLINGO-SUB%20id%3D%22lingo-sub-951828%22%20slang%3D%22en-US%22%3EGetting%20certificate%20error%20warning%20when%20accessing%20server%20using%20its%20internal%20IP%20over%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951828%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22votecell%20post-layout--left%22%3E%3CDIV%20class%3D%22js-voting-container%20grid%20fd-column%20ai-stretch%20gs4%20fc-black-200%22%3E%3CDIV%20class%3D%22js-favorite-count%20mt8%22%3E%3CSPAN%3EI've%20given%20my%20web%20server%20an%20SSL%20certificate%20from%20my%20own%20CA.%20the%20certificate%20has%20(Server%20and%20client%20authentication%20in%20addition%20to%20IP%20security%20IKE%20because%20i%20use%20the%20same%20certificate%20for%20my%20SSTP%20VPN%20Server).%20certificate's%20subject%20name%20(Type%3DCN%20Common%20name)%20is%20the%20external%20domain%20name%20that%20points%20to%20my%20server's%20public%20IP%20address.%20In%20certificate's%20alternative%20name%2C%20I%20set%20it%20to%20DNS%20type%20and%20added%20the%20server's%20local%20domain%20name%20(server-2.test.local).%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22postcell%20post-layout--right%22%3E%3CDIV%20class%3D%22post-text%22%3E%3CP%3Eso%20when%20I%20type%20in%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Eexternal%20domain%20name%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Einto%20a%20browser%20of%20a%20non-local%20computer%2C%20my%20test%20website%20from%20that%20server%20loads%20fine%20over%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EHTTPS%3C%2FSTRONG%3E%2C%20no%20certificate%20error%20whatsoever.%3C%2FP%3E%3CP%3Ebut%20when%20I%20first%20connect%20to%20my%20local%20network%20using%20SSTP%20VPN%20(VPN%20host%20name%20is%20the%20same%20as%20the%20external%20domain%20name%20that%20points%20to%20my%20server's%20public%20IP%20address)%2C%20and%20then%20once%20i'm%20connected%2C%20I%20try%20to%20use%20the%20local%20domain%20name%20of%20my%20server%20in%20the%20browser%2C%20i%20get%20this%20certificate%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3ENET%3A%3AERR_CERT_COMMON_NAME_INVALID%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20server%20couldn't%20prove%20that%20it's%20%5Bserver's%20local%20domain%20name%5D%3B%20its%20security%20certificate%20is%20from%20%5Bserver's%20external%20domain%20name%5D.%20This%20may%20be%20caused%20by%20a%20misconfiguration%20or%20an%20attacker%20intercepting%20your%20connection.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhat%20am%20i%20missing%20or%20doing%20wrong%3F%3C%2FP%3E%3CP%3Ei%20don't%20know%20if%20it's%20related%20but%20on%20IIS%20server%2C%20I%20have%20set%20a%20rule%20to%20redirect%20HTTP%20to%20HTTPS.%3C%2FP%3E%3CP%3Emy%20question%20is%20not%20a%20duplicate%20of%20the%20other%20one%20linked%20here.%20that%20question%20is%20not%20about%202%20DNS%20names%20(one%20local%20and%20one%20external)%20it's%20about%201%20DNS%20name%20and%201%20localhost.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-951828%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-951870%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20certificate%20error%20warning%20when%20accessing%20server%20using%20its%20internal%20IP%20over%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951870%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20seems%20that%20you%20certificate%20does%20not%20contain%20the%20IP%20as%20a%20SAN.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20please%20take%20a%20look%20at%20this%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fserverfault.com%2Fquestions%2F641504%2Fssl-on-iis8-5-working-with-named-url-but-localhost-results-in-err-cert-common%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fserverfault.com%2Fquestions%2F641504%2Fssl-on-iis8-5-working-with-named-url-but-localhost-results-in-err-cert-common%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-951917%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20certificate%20error%20warning%20when%20accessing%20server%20using%20its%20internal%20IP%20over%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951917%22%20slang%3D%22en-US%22%3Ethank%20you.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-951930%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20certificate%20error%20warning%20when%20accessing%20server%20using%20its%20internal%20IP%20over%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951930%22%20slang%3D%22en-US%22%3EYou're%20welcome%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor
I've given my web server an SSL certificate from my own CA. the certificate has (Server and client authentication in addition to IP security IKE because i use the same certificate for my SSTP VPN Server). certificate's subject name (Type=CN Common name) is the external domain name that points to my server's public IP address. In certificate's alternative name, I set it to DNS type and added the server's local domain name (server-2.test.local).

so when I type in the external domain name into a browser of a non-local computer, my test website from that server loads fine over HTTPS, no certificate error whatsoever.

but when I first connect to my local network using SSTP VPN (VPN host name is the same as the external domain name that points to my server's public IP address), and then once i'm connected, I try to use the local domain name of my server in the browser, i get this certificate error.

 

NET::ERR_CERT_COMMON_NAME_INVALID

 

This server couldn't prove that it's [server's local domain name]; its security certificate is from [server's external domain name]. This may be caused by a misconfiguration or an attacker intercepting your connection.

 

 

what am i missing or doing wrong?

i don't know if it's related but on IIS server, I have set a rule to redirect HTTP to HTTPS.

my question is not a duplicate of the other one linked here. that question is not about 2 DNS names (one local and one external) it's about 1 DNS name and 1 localhost.

 

 

3 Replies
Highlighted
Best Response confirmed by Kirin990 (New Contributor)
Solution

Hi there,

It seems that you certificate does not contain the IP as a SAN.

Also please take a look at this:

https://serverfault.com/questions/641504/ssl-on-iis8-5-working-with-named-url-but-localhost-results-...

Highlighted
Highlighted