54

This Google Storage documentation page states that You can use a CNAME redirect only with HTTP, not with HTTPS. But I cannot see any reason for that. Can anyone explain me why?

qdii
  • 12,505
  • 10
  • 59
  • 116
  • I guess it's for additional security. I don't know who enforces this though - the DNS, the browser, or Google – Pekka Feb 15 '12 at 13:26
  • In addition to the answer below about multi-domain certs, it is also possible if you are using a service such as Cloudflare, which besides providing a DNS service also acts as a HTTP(S) proxy and terminates (decrypts) the SSL connection from the client before making its own (either HTTP or HTTPS - depending on settings) connection to the server and forwarding the content. – Danra Jan 29 '19 at 12:56

2 Answers2

43

Assume you have a CNAME record:

travel-maps.example.com CNAME c.commondatastorage.googleapis.com.

Browser resolves name travel-maps.example.com and gets IP for c.commondatastorage.googleapis.com, then connects to port 443 of this address.

Server with this IP couldn't possibly[1] have proper certificate for travel-maps.example.com (and all other domain names with CNAME records like this). Only example.com domain owner could get a trusted cert for his own domain.

[1] Unless you uploaded the certificate to the CDN network which is a common feature nowadays.

kupson
  • 6,738
  • 1
  • 18
  • 14
  • as Apache can distinguish what domain the browser is surfing on (with VirtualHost), why can’t it just serve the appropriate certificate for each one? – qdii Feb 15 '12 at 14:15
  • Google - owner of googleapis.com don't have cert for travel-maps.example.com – kupson Feb 15 '12 at 14:39
  • 3
    With that CNAME record browser connects to google IP, not your's apache. – kupson Feb 15 '12 at 14:47
  • 1
    This answer makes it clear why a CNAME from one owner to another wouldn't work with HTTPS, but not why a CNAME to another record owned by the same wouldn't. Could you describe that, please? – kojiro Apr 23 '13 at 14:52
  • 1
    @kojiro If the server certificate will match CNAME record (travel-maps.example.com in this case) SSL will be working fine. – kupson Apr 24 '13 at 05:45
  • 1
    But why couldn't I give Google a copy of my certificate? Almost every site hosting supports it, [including App Engine](https://developers.google.com/appengine/docs/ssl). – Beni Cherniavsky-Paskin Mar 18 '14 at 07:03
39

It is possible!

There could be many domains attached to one SSL certificate.

ASSUME travel-maps.example.com CNAME c.commondatastorage.googleapis.com.

When both domains are in the SSL cert list, your CNAME can redirect with HTTPS.

Demo

This is how CDN service provider such as Incapsula with works with HTTPS. They just create a "Multi-domain" SSL cert for you.

You may check a demo cert-info in this site. https://www.incapsula.com/

Any way, this kind of SSL cert is for business use in most case and are generally pretty expensive.

Sumner Evans
  • 8,951
  • 5
  • 30
  • 47
Shiji.J
  • 1,561
  • 2
  • 17
  • 31
  • so, if a CDN provides service to a HTTPS-site foo, does it mean that I am no longer using the certificate provided by foo, and instead relying on the CDN's one? – qdii Oct 16 '13 at 08:02
  • 3
    No, you data still needs to be encrypted between your server and CDN server. Theoretically, you may use a self-signed ssl cert for your server. – Shiji.J Oct 17 '13 at 07:43