zexec4 Absent Member.
Absent Member.
1099 views

Understanding Hostnames & Certificates

In rebuilding my little system recently (SLES11SP4 host & three XEN VMs, each SLES11SP4: VM1-OES; VM2-Gwise; VM3-gms), while things work, I may have created a cross for myself when I named each of the VMs and linked the hostnames to these VM names, resulting in some Certificate issues.
Let me explain. My registered internet domain for the purpose of this post is xyz.com.au, and the PTR for my mail.xyz.com.au points to the static IP assigned by my ISP. When I created my Groupwise XEN VM, I named the host gwise, so it became gwise.xyz.com.au, and similarly I named the third VM as gms.xyz.com.au (for GW Mobility Server). So when the install processes created the CA Certificate, and the Self Signed Certificate for GMS, none of the Certificates align to mail.xyz.com.au. I suspect this is leading to 550 TLS negotiation failure messages with some ISPs.
So, I guess the question is, how should I have gone about this? Surely I can't have both these VMs using the same mail.xyz.com.au domain so as to make sure the Certificates match what the Internet knows about the domain? Is there a way open for me to fix this?
Thanks

Jerome
(Learning a little more each day...)
Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: Understanding Hostnames & Certificates

Independently of the hostname (which matters as well) you'll need a certificate from a trusted provider as most devices will nowadays reject selfsigned ones (and that's what likely causes the negotionation issues). So you should get an "official" certificate for "mail.xyz.com.au" or a wildcard one for "xyz.com.au". Once you install this for GMS services things will likely start working (provided your NATting / port forwarding / whatsoever is configured properly). As it seems you own a single official IP address, so you can use the same cert for e.g. WebAccess on another box, you'll have to use another external port, of course.
zexec4 Absent Member.
Absent Member.

Re: Understanding Hostnames & Certificates

Thanks Mathias: I will have to bite the bullet and get one of those Certificates.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Understanding Hostnames & Certificates

It's a smooth bullet these days. Used to be a bigger deal in the 1990s...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Understanding Hostnames & Certificates

In article <zexec4.8ghr7c@no-mx.forums.microfocus.com>, Zexec4 wrote:
> none of the Certificates align to mail.xyz.com.au.


That is a big issue, but not hard to fix.
You could do the self cert to the name you want, but that still has
many of the issues.

So as Mathias pointed out, you need cert(s) minted from a trusted root.

In addition to the ones you pay for, there is also LetsEncrypt that
does free certs, but requires a little bit of scripting to get running,
but there are plenty of examples of how to do it around.

While the pay ones have many options such as the wild card, they need
to be redone every couple years. LetsEncrypt on the other hand, is a
process that keeps recerting automatically (kind of their whole reason
to exist).


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
hhs_admin Contributor.
Contributor.

Use free certs from Let's Encrypt

zexec4;2480091 wrote:
Thanks Mathias: I will have to bite the bullet and get one of those Certificates.


For free you can use Let's Encrypt certificates. Place a reverse proxy in front of your servers (web, gms, gw) and let him handle the Let's Encrypt staff.

Let's Encrypt doesn't support wildcard certs, but multi domain (Multi-Domain (SAN) Certificates - Using Subject Alternative Names) certs. Which can handle all your sub-domains.

Klaus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.