3

I am configuring a server that has both a public and private IP. It doesn't have any associated domain names.

Using a self-signed certificate to access the URL below works properly:

    https://<PUBLIC IP>:8443

However, when I try to access that server using its private IP:

    wget https://<PRIVATE IP>:8443

I get the following error:

ERROR: cannot verify 's certificate, issued by '/C=?/ST=?/L=?/O=?/OU=?/CN=Unknown': Self-signed certificate encountered. ERROR: certificate common name 'Unknown' doesn't match requested host name ''. To connect to insecurely, use `--no-check-certificate'.

Is there a way to specify in the configuration that both public and private IPs should be accepted?

I also tried including multiple connectors in server.xml containing the address attribute but it doesn't work.

jackeblagare
  • 158

2 Answers2

1

I think you've got two fundamental problems here. Firstly, while Windows (as far as I know) implements a central certificate storage-and-validation mechanism, which applications generally call to (e.g.) validate an SSL certificate, UNIX apps all roll their own. So just because one browser works, it doesn't mean another browser, or wget, will - and what a PHP script will do is a complete mystery, and entirely dependent on the library in question.

Secondly, you've decided to go with an SSL certificate that embeds an IP address instead of a hostname, and we've had problems doing that before, around these parts.

My own feeling is it's not a good use of qualified time to continue trying to make this strategy work. Instead, register a domain name - they cost next to nothing, and are usually easier to type than ip addresses - and set up split-horizon DNS so that internal clients get the internal address, and external clients get the external one. That removes both of your problems in one swoop.

Community
  • 1
MadHatter
  • 81,580
0

It seems that you are trying to access the server both from the Internet (using NAT) and from an internal LAN (directly), and this is the reason why you use two IP addresses. If it is the case, look at a similar situation and how to make your server available by the public IP both from the Internet and the LAN:

Cisco static NAT not working on LAN side

and thus avoid certificate mess. (Look for the solution with secondary IP.)

Community
  • 1
Sergio
  • 174