Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

coolkid42

macrumors newbie
Original poster
Mar 23, 2014
5
0
Hello,
I am currently setting up an OS X Mavericks server; all the services have been configured and appear to be running fine, but I have an issue with my SSL certificate connection - I purchased a verified SSL certificate from RapidSSL.

When I connect over SSL to https://server.mydomain.eu everything is great, certificate shows as verified in safari. However, when I try to setup contacts over SSL, I put in the hostname server.mydomain.eu, check "use SSL". The problem is, that contacts then comes back saying the certificate is not verified and it is trying to connect to n2190790xxxxx.netvigator.com (xxxxx are numbers that have been withheld) and says the certificate for this host is not verified as the url on the certificate is server.mydomain.eu.

Netvigator is my ISP, and accessing n2190790xxxxx.netvigator.com over http gives me the same website as server.mydomain.eu. I have no idea how to fix this and don't understand why contacts is connecting to the netvigator url instead of the url I enter into the field. It's almost as if my own ISP is launching a man-in-the-middle attack against me :D

Thanks for any help!
 
1. You need a dedicated IP address. Do you have one?

2. You need to set-up proper reverse DNS for that dedicated IP address, so that when querying by IP address, it will return the proper domain name. You may need your ISP to do this for you.
 
1. You need a dedicated IP address. Do you have one?

2. You need to set-up proper reverse DNS for that dedicated IP address, so that when querying by IP address, it will return the proper domain name. You may need your ISP to do this for you.

Hi Jtara, thanks for your help. I don't actually have a static IP address, but my dynamic IP changes very seldom (only when my router is switched off for a longer period of time and the last time that happened was 6 months).

I will look into the reverse DNS issue; I will be changing DNS server providers anyway so we will see if that gets me anywhere.

Thanks a lot!
 
I will look into the reverse DNS issue; I will be changing DNS server providers anyway so we will see if that gets me anywhere.

It won't help. Reverse DNS has to be set up by the owner of that IP address. Your ISP isn't going to do it on a dynamic address.
 
It won't help. Reverse DNS has to be set up by the owner of that IP address. Your ISP isn't going to do it on a dynamic address.

Yeah, so I just did a reverse DNS lookup and this is the problem - the lookup returned the ISP url for my IP address.

Would Server Name Indication help me out here by any chance? The puzzling thing is, that the SSL certificate works great for HTTPS connections (no issue with unverified host), such as to my encrypted server website. Not quite sure why it works for https but not for anything else.

Is there any way to get around this without getting a static IP and dealing with my ISP? Thank you.
 
Server Name Indication is an HTTP feature. Your problem is with email, which uses a different protocol (not HTTP.)

Why are you running your own email server, anyway? I wouldn't recommend that. Especially not running your own email server on a dynamic address.

Email hosting is cheap and typically way more reliable than running your own server.
 
Server Name Indication is an HTTP feature. Your problem is with email, which uses a different protocol (not HTTP.)

Why are you running your own email server, anyway? I wouldn't recommend that. Especially not running your own email server on a dynamic address.

Email hosting is cheap and typically way more reliable than running your own server.

I'm not running my own email server (I don't think I ever mentioned email, the issue is with contacts and the other services) for precisely the reason you mention - we have email hosting with someone else. But I do need to setup os x server for it's other services and that's when the ssl problem comes up.
 
"OSX Sever" is not some monolithic application or service. It's just a collection of different applications that are installed together in a bundle.

SNI applies only to HTTP/HTTPS servers.

I don't know what protocol the Contacts service uses. If it doesn't use HTTPS, then SNI is not applicable. As well, SNI is intended for general-purpose web servers, not other services that happen to use HTTP(s) protocol.

In any case, it obviously is doing a reverse DNS check, and so it's not going to work until/unless you can get a static IP address with reverse DNS set-up.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.