SSL certificate issue

Discussion in 'Mac OS X Server, Xserve, and Networking' started by coolkid42, May 28, 2014.

  1. coolkid42 macrumors newbie

    Joined:
    Mar 23, 2014
    #1
    Hello,
    I am currently setting up an OS X Mavericks server; all the services have been configured and appear to be running fine, but I have an issue with my SSL certificate connection - I purchased a verified SSL certificate from RapidSSL.

    When I connect over SSL to https://server.mydomain.eu everything is great, certificate shows as verified in safari. However, when I try to setup contacts over SSL, I put in the hostname server.mydomain.eu, check "use SSL". The problem is, that contacts then comes back saying the certificate is not verified and it is trying to connect to n2190790xxxxx.netvigator.com (xxxxx are numbers that have been withheld) and says the certificate for this host is not verified as the url on the certificate is server.mydomain.eu.

    Netvigator is my ISP, and accessing n2190790xxxxx.netvigator.com over http gives me the same website as server.mydomain.eu. I have no idea how to fix this and don't understand why contacts is connecting to the netvigator url instead of the url I enter into the field. It's almost as if my own ISP is launching a man-in-the-middle attack against me :D

    Thanks for any help!
     
  2. jtara macrumors 65816

    Joined:
    Mar 23, 2009
    #2
    1. You need a dedicated IP address. Do you have one?

    2. You need to set-up proper reverse DNS for that dedicated IP address, so that when querying by IP address, it will return the proper domain name. You may need your ISP to do this for you.
     
  3. coolkid42 thread starter macrumors newbie

    Joined:
    Mar 23, 2014
    #3
    Hi Jtara, thanks for your help. I don't actually have a static IP address, but my dynamic IP changes very seldom (only when my router is switched off for a longer period of time and the last time that happened was 6 months).

    I will look into the reverse DNS issue; I will be changing DNS server providers anyway so we will see if that gets me anywhere.

    Thanks a lot!
     
  4. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #4
    It won't help. Reverse DNS has to be set up by the owner of that IP address. Your ISP isn't going to do it on a dynamic address.
     
  5. coolkid42 thread starter macrumors newbie

    Joined:
    Mar 23, 2014
    #5
    Yeah, so I just did a reverse DNS lookup and this is the problem - the lookup returned the ISP url for my IP address.

    Would Server Name Indication help me out here by any chance? The puzzling thing is, that the SSL certificate works great for HTTPS connections (no issue with unverified host), such as to my encrypted server website. Not quite sure why it works for https but not for anything else.

    Is there any way to get around this without getting a static IP and dealing with my ISP? Thank you.
     
  6. jtara macrumors 65816

    Joined:
    Mar 23, 2009
    #6
    Server Name Indication is an HTTP feature. Your problem is with email, which uses a different protocol (not HTTP.)

    Why are you running your own email server, anyway? I wouldn't recommend that. Especially not running your own email server on a dynamic address.

    Email hosting is cheap and typically way more reliable than running your own server.
     
  7. coolkid42 thread starter macrumors newbie

    Joined:
    Mar 23, 2014
    #7
    I'm not running my own email server (I don't think I ever mentioned email, the issue is with contacts and the other services) for precisely the reason you mention - we have email hosting with someone else. But I do need to setup os x server for it's other services and that's when the ssl problem comes up.
     
  8. jtara macrumors 65816

    Joined:
    Mar 23, 2009
    #8
    "OSX Sever" is not some monolithic application or service. It's just a collection of different applications that are installed together in a bundle.

    SNI applies only to HTTP/HTTPS servers.

    I don't know what protocol the Contacts service uses. If it doesn't use HTTPS, then SNI is not applicable. As well, SNI is intended for general-purpose web servers, not other services that happen to use HTTP(s) protocol.

    In any case, it obviously is doing a reverse DNS check, and so it's not going to work until/unless you can get a static IP address with reverse DNS set-up.
     

Share This Page