Search code examples
sslamazon-ec2cnamewildcard-subdomain

Wildcard SSL and CNAME

I am using Amazon EC2 ELB and following their recommendation of using CNAME to refer to the public DNS of the ELB:

$ nslookup qa.mydomain.com
Server:     192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
qa.mydomain.com canonical name = mydomain-20530xxxx.us-west-1.elb.amazonaws.com.
Name:   mydomain-20530xxxx.us-west-1.elb.amazonaws.com
Address: 50.18.xxx.yyy

I purchased a wildcard SSL cert to protect all my subdomains. So the cert was issued for *.mydomain.com. However, when I visit qa.mydomain.com, all browsers are screaming security. The message on Google Chrome, when I try to access https://qa.mydomain.com is:

Chrome says: You attempted to reach mydomain-20530xxxx.us-west-1.elb.amazonaws.com, but instead you actually reached a server identifying itself as *.mydomain.com. This may be caused by a misconfiguration on the server or by something more serious..

Am I going about it the wrong way? Is the use of CNAME essentially incompatible with PKI/SSL? What are my options?

Thanks.

PS: Here is the report from performing dig on the address: qa.mydomain.com. Obviously, the actual domain name and results have been masked for security.

$ dig qa.mydomain.com

; <<>> DiG 9.8.1-P1 <<>> qa.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 961
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;qa.mydomain.com.       IN  A

;; ANSWER SECTION:
qa.mydomain.com.    1670    IN  CNAME   mydomain-205300xxxx.us-west-1.elb.amazonaws.com.
mydomain-205300xxxx.us-west-1.elb.amazonaws.com. 60 IN A 50.18.xxx.yyy

;; Query time: 105 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Aug  9 14:05:31 2012
;; MSG SIZE  rcvd: 121
Solution

  • Whether the IP address resolution comes from a CNAME or an A DNS entry has no influence on the certificate name verification.

    What matters is that the name, as you request it in the URL, matches one of the entries in the certificate.

    In short, if the certificate has Subject Alternative Name entries, one of them must match the host name you request; if there are no SAN DNS entries, the Common Name (CN) of the Subject DN must match the host name.