SSL for domain with multiple A records

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fishbase.org

I accessed this URL on my Chrome browser: https://fishbase.org

It produced this output:

Your connection is not private

Attackers might be trying to steal your information from www.fishbase.org (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is www.fishbase.org; its security certificate is from fishbase.se. This may be caused by a misconfiguration or an attacker intercepting your connection.

fishbase.org redirects to fishbase.se and other mirror sites via round robin. if accessed with http, it works well.
fishbase.se and other mirror sites have their own ssl certs provided by Let's Encrypt.

My question is this:
Is it possible for fishbase.org to have it's own ssl cert, even though it is just a domain name that maps to other mirror servers?

Thank you for for help!

It's certainly possible for the two servers responsible for fishbase.org to have HTTPS certificates.

It's tricky to actually get the certificates in an automated way though, because your two servers would need to coordinate somehow to present the correct answer to the Let's Encrypt HTTP domain validation challenge.

I would probably use the DNS challenge, because it would allow each of your servers to independently obtain a certificate without worrying about what the other server is doing. However, it doesn't look like any ACME clients out there support ZoneEdit, possibly because they don't have an API to programmatically create TXT records.

3 Likes

Hello _az. Thank you for your reply.

Just to make it clear, the two servers you mentioned already have HTTPS certs provided by Let'sEncrypt.
What I was asking was if it is possible to assign a separate cert for fishbase.org itself given that it is just a domain name that points to other servers.

Thank you.

1 Like

You can have a cert that has several different domains on it, and use that on your server to catch redirects for them all. You just need to include all those domains e.g. the follow are all distinct and would need to be individually included as subject alternative names in the certificate if your server is going to response on behalf of these domains:

fishbase.se
www.fishbase.se
fishbase.org
www.fishbase.org

--

So you can do this with one cert or different servers can have their own certs that they manage, but whatever server responds to users browsers must have a cert that covers the exact domain the browser is requesting.

5 Likes

Additional context from OP

As I mentioned in the ServerFault response, it is likely going to be more efficient for the person/organization that controls the web servers to obtain the necessary certificates for all of the names those servers are using.

Even though you control the domain for one set of names, you have effectively delegated control of those specific names to the owner of the web server. So the web server operator can obtain a cert for those names without any interaction from you. And that will be the most efficient process long term even though you could theoretically obtain a cert for the names in your domain yourself.

4 Likes