152
Views
2
Comments
Custom SSL Domain configuration

I'm having a hard time wrapping my head around configuring custom domain names in OutSystems PaaS. This is my journey so far.

I've followed the instructions at Custom DNS names for OutSystems Cloud servers - OutSystems and created a CNAME record which looks like

| CNAME | app.customdomain.com | foo.outsystems.com

The CNAME is working and entering app.customdomain.com into a browser lands on foo.outsystems.com, but with a certificate error:

NET::ERR_CERT_AUTHORITY_INVALID

Subject: *.outsystemsenterprise.com

Issuer: Bad Server Certificate

So, following the instructions Enable Custom SSL Domain In OutSystems PaaS - OutSystems I can have a certificate for *.customdomain.com applied to the secure end-point. So now the whole environment foo.outsystems.com domain is accessed via customdomain.com. Eg to connect in Service Studio you must now connect via customdomain.com and similarly Service Center is now located at customdomain.com.

You can now use SEO Friendly URL's to configure a Site Rule that will direct app.customdomain.com to the app Root Application. So far so good.

My questions are:

  1. What if I need to host something like app.anothercustomdomain.com? It's apparent that only one certificate can be applied to an environment at once. If I was to raise a ticket, would OutSystems Support configuring the IIS web bindings required? Does anybody have any experience with this?
  2. Our Pen Testers and Architects don't like wild card certificates being used in Prod environments. And we are going to want multiple sub domains of customdomain.com. I see that SAN certificates are a possibility. I've not had any experience with SAN's, but my first thought is that it introduces some extra configuration management headaches and the SAN would need to be regenerated and re-applied to the environment each time we released a new application. Again - does anybody have any experience with this?

I look forward to any feedback.

Rank: #445

I would say that your best shot would be to have your LB or ReverseProxy doing the SSL offloading and handling the different certificates. I have some exp on F5, using iRules, and they are very versatile to achieve that, especially in some situations that rewriting requests and responses are necessary. On on-prem installation, and if you don't want to rely on an LB/RP for that, it is a bit easier as you could spread your modules over different websites on IIS, have seen this type of scenario a few times on the past, not sure if this is still supported or not (Note: modules under SEO rules need to be kept on the same Website that the ISAPI is installed otherwise it will break SEO). 

Since you are on PaaS, perhaps engaging with OS  and asking if they already have a setup for such scenarios on their AWS based offering, would be the way to go for now.

cheers

Rank: #5731

Hi Arley,

Thanks for your response, it's very much appreciated. I had not considered using Load Balancing or Reverse Proxy's and it certainly offers me some food for thought.

Thanks again,

Ben