Hello! I have recently worked with my customer’s IT team to obtain a TLS certificate for our Ignition gateway. Applying the certificate was successful, but afterwards I am still unable to use the domain name we setup in the certificate. Is there something I am missing here?
I can confirm that the inbound ports on 8088 and 8043 are open. I can access the gateway by navigating to https:server_name:8043, but receive a certificate error because that does not match the domain name we have setup in the certificate.
You have to be able to navigate to https://full.domain.in.cert:8043. If your customer hasn't established that name in their DNS infrastructure, the certificate is useless.
You need the full name to resolve to the server IP, and you must use the full name in all of your links/configurations.
(I would also recommend switching your gateway to use ports 80 and 443 like a proper webserver.)
1 Like
If you cannot use the full name in your application URLs, there might be some options to consider in the certificate's Subject Alternate Names. But, if your cert is from a globally recognized authority, you will only have these options:
- Known private IP addresses (10.x.y.z, 172.16.y.z through 172.31.y.z, and 192.168.y.z) can be added to your cert and then you can access the gateway by IP address.
- Full domain names that alias to the primary name can be added, with the same proof of control over the names.
Really big, old companies that actually own a public subnet can add those, too.
With a private certificate authority issuing the cert, you can put just about any names or IPs into the SAN field, including something like the bare server-name. (But note that underscores are not valid in domain names--must be dashes.)
Try accessing the server using the FQDN for your server by adding the domain name of the company after the aerver name.
For example, https://server_name.company_domain.com:8043.
Hopefully the certificate is valid for your server name (*.company_domain.com, etc).
They have registered the domain name in their DNS infrastructure. I am able to use nslookup to see that it matches the IP expected. Now instead of getting “no domain” error we are instead getting “connection refused”. Once again, I can confirm that we do have port 8043 open for inbound traffic.
Must be something architecture dependent on the customer side. I changed the port to 443, and suddenly the connection is no longer refused.
2 Likes