Why isn’t it possible to use a CNAME alias to Google Storage with HTTPS? [closed]

Asked 15/2, 2012 at 13:22 Answered 15/10, 2013 at 20:35

Solved http http-redirect https dns cname

The Google Storage documentation page states that You can use a CNAME redirect only with HTTP, not with HTTPS. But I cannot see any reason for that. Can anyone explain me why?

Firewood answered 15/2, 2012 at 13:22 Comment(2)

I guess it's for additional security. I don't know who enforces this though - the DNS, the browser, or Google – Rayerayfield 15/2, 2012 at 13:26

In addition to the answer below about multi-domain certs, it is also possible if you are using a service such as Cloudflare, which besides providing a DNS service also acts as a HTTP(S) proxy and terminates (decrypts) the SSL connection from the client before making its own (either HTTP or HTTPS - depending on settings) connection to the server and forwarding the content. – Undercharge 29/1, 2019 at 12:56

Assume you have a CNAME record:

travel-maps.example.com CNAME c.commondatastorage.googleapis.com.

Browser resolves name travel-maps.example.com and gets IP for c.commondatastorage.googleapis.com, then connects to port 443 of this address.

Server with this IP couldn't possibly[1] have proper certificate for travel-maps.example.com (and all other domain names with CNAME records like this). Only example.com domain owner could get a trusted cert for his own domain.

[1] Unless you uploaded the certificate to the CDN network which is a common feature nowadays.

Farce answered 15/2, 2012 at 13:30 Comment(6)

as Apache can distinguish what domain the browser is surfing on (with VirtualHost), why can’t it just serve the appropriate certificate for each one? – Firewood 15/2, 2012 at 14:15

Google - owner of googleapis.com don't have cert for travel-maps.example.com – Farce 15/2, 2012 at 14:39

With that CNAME record browser connects to google IP, not your's apache. – Farce 15/2, 2012 at 14:47

This answer makes it clear why a CNAME from one owner to another wouldn't work with HTTPS, but not why a CNAME to another record owned by the same wouldn't. Could you describe that, please? – Brachio 23/4, 2013 at 14:52

@Brachio If the server certificate will match CNAME record (travel-maps.example.com in this case) SSL will be working fine. – Farce 24/4, 2013 at 5:45

But why couldn't I give Google a copy of my certificate? Almost every site hosting supports it, including App Engine. – Guppy 18/3, 2014 at 7:3

It is possible!

There could be many domains attached to one SSL certificate.

ASSUME travel-maps.example.com CNAME c.commondatastorage.googleapis.com.

When both domains are in the SSL cert list, your CNAME can redirect with HTTPS.

Demo

This is how CDN service providers such as Incapsula work with HTTPS. They just create a "Multi-domain" SSL cert for you.

You may check a demo cert-info in this site. https://www.incapsula.com/

Any way, this kind of SSL cert is for business use in most case and are generally pretty expensive.

Winstonwinstonn answered 15/10, 2013 at 20:35 Comment(2)

so, if a CDN provides service to a HTTPS-site foo, does it mean that I am no longer using the certificate provided by foo, and instead relying on the CDN's one? – Firewood 16/10, 2013 at 8:2

No, you data still needs to be encrypted between your server and CDN server. Theoretically, you may use a self-signed ssl cert for your server. – Winstonwinstonn 17/10, 2013 at 7:43

Recommended topics

Hot tags