Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure a url that has a cname record

Tags:

ssl

dns

cname

I have a site that has subdomains for each user and a wildcard SSL Cert

https://user1.mysite.com

https://user2.mysite.com

The question is can someone set a cname record such as user1.theirsite.com -> user1.mysite.com and have it still use https?

Will it work if they install a SSL Cert on their server to secure the connection?

Thanks

like image 358
bones Avatar asked May 02 '12 01:05

bones


People also ask

Does a CNAME record change the URL?

It's used to map a domain name to another domain name, the latter of which should have an A record with an IP address. So in your case, you could certainly have a CNAME record for each of your clients. All of those aliases could point to your primary, "canonical" domain name. The browser will not change the URL.

Why you should never use a CNAME record for your root domain name?

A CNAME cannot be placed at the root domain level, because the root domain is the DNS Start of Authority (SOA) which must point to an IP address. CNAME records must point to another domain name, never to an IP address.

Can a domain have a CNAME and A record?

A CNAME record must always point to another domain name and never directly to an IP address. A CNAME record cannot co-exist with another record for the same name. It's not possible to have both a CNAME and TXT record for www.example.com .


2 Answers

The best way for this to work is if they arrange with you to have your SSL certificate include their "alias" as a Subject Alternate Name extension in your X.509 certificate.

This is the approach used by some CDNs when they host https sites for clients - they put all of the known site names that are hosted on one server in one large SSL certificate, and then the clients use CNAMEs to point their domain at the right CDN server.

like image 161
Alnitak Avatar answered Sep 18 '22 13:09

Alnitak


The host name and certificate verification (and in fact, checking that SSL is used at all) are solely the responsibility of the client.

The host name verification will be done by the client, as specified in RFC 2818, based on the host name they request in their URL. Whether the host name DNS resolution is based on a CNAME entry or anything else is irrelevant.

If users are typing https://user1.theirsite.com/ in their browser, the certificate on the target site should be valid for user1.theirsite.com.

If they have their own server for user1.theirsite.com, different to user1.mysite.com, a DNS CNAME entry wouldn't make sense. Assuming the two hosts are effectively distinct, they could have their own valid certificate for user1.theirsite.com and make a redirection to https://user1.theirsite.com/. The redirection would also be visible in the address bar.

If you really wanted to have a CNAME from user1.theirsite.com to user1.mysite.com, they might be able to give you their certificate and private key so that you host it on your site too, using Server Name Indication (assuming same port, and of course same IP address since you're using a CNAME). This would work for clients that support SNI. There would however be a certain risk to them in giving you their private keys (which isn't generally recommended).

like image 40
Bruno Avatar answered Sep 17 '22 13:09

Bruno