Certificate for domain and IP

Running Apache WAMP on Windows 10 Pro. Let's Encrypt certificate was created and installed successfully. However... I am using a domain name that will probably change in the future. I was wondering if Let's Encrypt can work for both a domain and an IP at the same time. Currently, the people that use my site were using the IP because I had no domain, but now I do have a domain and it was a quick one I got.. so it will probably change in the future. But when you access the site via IP it says an error because it doesnt match what's on the certificate of course. Only the domain is on the certificate. Is it possible to use an IP as an alias on the certificate? Or is that not possible and I should just have users be redirected to the domain name if they access the site via typing in the IP?

1 Like

No--Let's Encrypt doesn't issue certs for IP addresses.

4 Likes

IP addresses are for machines, not humans.

Users should consistently use a name, so have them use that (and sure, go ahead and redirect to the name if they're typing an IP directly).

If you get a new name, get a new certificate for that name and have users use that instead.

2 Likes

http://IP.AD.DR.ESS/ can easily be forwarded (to anywhere).

httpS://IP.ADD.DR.ESS/ is another thing; as it needs to complete the HTTPS connection before it can provide redirection information - which of course may fail [due to not having a trusted cert covering the IP (as a name)]

Note: In the examples above, "IP.ADD.DR.ESS" denotes an actual (numeric only) IP address.
[in case that was not made obvious]

3 Likes

And I guess to be clear, one can in theory get a certificate for an IP (The main one I know of actually being used is CloudFlare's https://1.1.1.1/ ), and Let's Encrypt plans to actually offer them at some nebulous point in the future, but you can't get them from Let's Encrypt at this time. There might be some other CAs you could use if you really want to use IP addresses directly, but I suspect your life (and the lives of your users) will just be much easier if you just use a DNS name.

It'd be nice if use of the RFC 5737 / RFC 3849 documentation address space was as obvious to a reader as being an "example" as using example.com or the .example TLD are when talking about DNS names, but somehow they're not utilized nearly as often as they should be. :slight_smile: Your way of doing an example may actually be the clearest way to represent it despite it not even using numbers.

3 Likes

Thanks guys. I'm trying to redirect but having problems with it. I'm port forwarding port 444 to port 443 (because another server in the building is running port 443 and port 80... so i only got external port 444). The IPs and domains are changed for privacy.

This is what I have in my vhosts file:
<VirtualHost *:80>
ServerName localhost
ServerAlias localhost
DocumentRoot "${INSTALL_DIR}/www/dashboard"

<Directory "${INSTALL_DIR}/www/dashboard/">

Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted

#Redirect to the HTTPS site
RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^/?(.*)$ https://mysite.example.org:444/$1 [NE,NC,R=301,L]

And this is what I have in my httpd-ssl.conf file:
<VirtualHost *:443>
DocumentRoot "${INSTALL_DIR}/www/dashboard"

ServerName mysite.example.org
ErrorLog "${INSTALL_DIR}/logs/sslerror.log"

TransferLog "${INSTALL_DIR}/logs/sslaccess.log"

<Directory "${INSTALL_DIR}/www/dashboard/">

Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted

#Redirect to the correct domain name
RewriteEngine On
RewriteCond %{HTTP_HOST} !^mysite.example.org:444$ [NC]
RewriteCond %{HTTP_HOST} ^45.185.212.181:444$
RewriteRule ^/?(.*)$ https://mysite.example.org:444/$1 [NE,NC,R=301,L]
SSLEngine on
PATHS TO CERTS

I'm sure I'm doing something wrong. I can get it to redirect to the domain when I use https://serverip:port, but whenever I type in http://serverip:port or http://mysite.example.org:444 it says "Bad Request" Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.4.0 Server at mysite.example.org Port 80 because it wants to use http and not https.

1 Like

What about this address with cheese, lettuce, tomato, and ketchup on a bun? :grin:

222.173.190.239

DE.AD.BE.EF

3 Likes

On your server, you are redirecting both HTTP and HTTPS to port 444.
But you don't show where in your server you are listening on/using port 444.

You say another server in the building (i.e. on that same IP) is already using ports 80 and 443.
So how is anyone from the outside going to reach your server?
Do you control the border router/firewall?

1 Like

The server listens on port 443, because that is the default for https. But externally, that is port 444 because of port forwarding. It's not 'straight forwarded'. If one goes to mysite.example.org:444, they get to my server. If inside the building and one goes to the server's internal-ip:443, they get to my server. Port 444 externally is port 443 on my server. It works because I can access the site. It's only the redirect I can't get working.

I do not directly control the router/firewall. I can only request a change and then the other guy grumpily takes 2 days to change it.

1 Like

To correctly match the certificate name, that should also be a name (instead of an IP).
Just like from the outside (but with port 443 instead):

Of course you will have to do some DNS tricks to ensure the inside users get the inside IP - while outside users get an outside IP.

2 Likes

Inside users, when typing in the outside IP, are directed by the router to go to the correct place.

My problem, which has nothing to do with IPs. Is that mod_rewrite does not work at all in the httpd-ssl.conf file, even when Allowoverride All is set. And all redirects I try just end in a loop with "too many redirects"

1 Like

Have you tested how your redirect exactly works?
Since you didn't provide your hostname and/or your apache configuration for the other server, there's nothing to help us know the exact issue.

If you are forwarding the redirect, you need ask the other server to accept 444 connection. I think the error message is because the ports are 443->444->443->444... which is constant dead loop.

1 Like

That means (to me) that:
http://IP redirects to https://name:444
https://name:444 (is forced to connect to https://name:443 which) redirects to https://name:444
https://name:444 (is forced to connect to https://name:443 which) redirects to https://name:444
https://name:444 (is forced to connect to https://name:443 which) redirects to https://name:444
...

Get the picture?
You need to stay away from the external IP from any of the internal sources.
Or they will be caught with the external redirection (not usable from the internal IPs).

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.