This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 28.000000000000004%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
I self host local websites that are externally viewable. This is an issue I have had from day one and I normally disregard it. I have a local Active Directory that has a zone for the domain that I use externally. These records only get hit internally for lets say I set up a webserver and I go and add it to my zone so that it lines up with what domain you would use externally as well as internally (eg IIS01.mydomain.xyz = 10.0.0.50 internally, IIS01.mydomain.xyz = 1.1.1.1 externally) I can when I am not connected to my network access those sites and have full HTTPS capabilities but when I do it internally I get hit with err_cert_authority_invalid unless I import the root cert file that cloudflare provides. Is it possible to completely mitigate that and have HTTPS work as intended? I think it has something to do with the DNS zone I have I am just not sure how else to route my sites internally without it
Hello
The logical explanation is that since this computers are in the same domain environment will try to obtain a local certification validation from a domain CA, instead of online (this is due to preferred route mapping)
The most simple option will be to deploy the certificate through GPO to all present and future computers in the domain:
Hope this helps ion your case,
Best regards,
unless I import the root cert file that cloudflare provides.
Are you using Cloudflare for content distribution? I helped implement Akamai to globally host our web sites some years ago, so please bear with me, some details are fuzzy.
In our case, the OurCompany.com DNS name was "owned" by Akamai and the IP resolved to some Akamai server depending on where on the planet the user was. Akamai then used a different name and certificate (I think) to access our web servers to pull static content, and route dynamic (ASPX) requests.
On the IIS01 machine check the IIS bindings and see what SSL certificate is assigned to the site. In order for your internal HTTPS to work, the site on 10.0.0.50 would need to use the IIS01.mydomain.xyz certificate.
It sounds like your site has a private Cloudflare cert assigned to it. I'm not a DNS expert, but to get that site to work internally you would need to route the IIS01.mydomain.xyz name out to the Cloudflare IP address.
I think you could use 2 different HTTPS bindings to the site. You would need a second IP address. Have one IP set to use the Cloudflare cert and another IP with the internal cert. You should ask Cloudflare for help on setting that up.