Using HTTPS with a dynamic ip

Asked 23/1, 2015 at 22:13 Answered 24/1, 2015 at 1:56

My situation: I want to run a webserver on a device in an unknown network. Requests on port 80 or 443 will be forwarded to this device from the global ip.

The device regularly posts its IP address to a server on the web and it is saved on this server.

Is it possible to access this device via https without much trouble? The problem of course is, that the ip can change and a SSL certificate needs to have a hostname.

Edit: The device doesn't have a domain assigned to it that I could use for a certificate. Is it maybe possible to use a domain I own and reroute that to the dynamic ip without changing the header? As far as I understand it that would make using https possible

Cottrill answered 23/1, 2015 at 22:13 Comment(0)

The common wisdom of SSL certificates being associated with one IP address is misleading. An SSL certificate is issued for the domain name, not the IP address. The issue with IP addresses stems from the details of the HTTPS protocol, and namely just the issue of name resolution. An HTTP server can host many different sites for many different domains, all on the same port and IP address. It knows which site is being requested based on an HTTP header.

Now, with HTTPS, the server first needs to negotiate a secure SSL connection before any HTTP headers are exchanged. The issue therefore is that it can't know which certificate for which domain it's supposed to use to negotiate a secure connection, because it hasn't yet had a chance to talk to the client about the domain it'd like to visit.

There are actually mechanisms for name negotiation before encryption in later versions of the HTTPS protocol, but the practical problem is that older clients do not support it yet (stare at IE6).

So the practical solution is to reserve one IP address and/or port for each HTTPS site, because then there's no issue of multiple name resolutions. One IP/port is reserved for one specific HTTPS site and in extension for one SSL certificate.

Which means, as long as your server is only serving one HTTPS domain, its IP address can change as often as it wants; there's no issue there.

Salot answered 24/1, 2015 at 1:56 Comment(6)

Hi thanks for the answer. My problem is that I don't have a domain to go with the changing IP. As far as I understand it this would require updating the DNS entry when the ip changes (for example using DynDNS). Is it possible to reroute traffic from a domain on the web server to the dynamic ip? So I could use that domain for a certificate. The IP will be stored in a database and regularly updated – Cottrill 24/1, 2015 at 14:37

Well, if you want HTTPS, you need a certificate. You can generally only get a certificate when you have a domain. I don't know if someone will sign you a certificate for a DynDNS domain. Maybe they will. If they do, you're good to go pointing your DynDNS domain at your server. Otherwise you can always use a self-signed certificate; since this doesn't appear to be for a very serious project anyway, that'll probably suffice for yourself. – Salot 24/1, 2015 at 15:50

You can get a certificate for a host name on your own domain, and have that host name be a CNAME DNS entry pointing to an DynDNS (or similar) hostname. I've done this successfully in the past. – Obvious 24/1, 2015 at 16:59

I honestly wanted to avoid using DynDns, but that seems to be an ok solution, also CNAME DNS seems to be a good solution if you already have a domain name and a certificate for it. It would have been nice, to have an encrypted http connection to a dynamic ip though (without dyndns). – Cottrill 24/1, 2015 at 18:56

> Which means, as long as your server is only serving one HTTPS domain, its IP address can change as often as it wants; there's no issue there. -- Ummm, 'your server is only serving out one domain name as HTTPS' or 'your server is only serving out one HTTPS port per domain name'? English, me, bad. – Botulism 9/12, 2015 at 17:53

@EgbertS That's unpossible! ... No, seriously, I think I wrote that correctly!? – Salot 9/12, 2015 at 18:28

There is no problem with dynamic IP. In SSL certificate you store a static hostname (domain.com), no IP address.

Blossom answered 24/1, 2015 at 1:43 Comment(0)

Recommended topics

Hot tags