- 14 Nov 2023
- 3 Minutes to read
- Updated on 14 Nov 2023
- 3 Minutes to read
Domains allows you to configure additional domains (Virtual Hosts) to be accepted by a single Zone. This allows custom branding of the portal based on the domain that is used to connect to the zone. This is also useful in case of company name changes to accept both the new and old during a migration period.
The default domain is always present and cannot be removed.
The virtual host of the default domain can only be changed with system permissions.
License will become invalid after changing the default domain and will cause downtime until the license has been updated with the new domain.
Here you also add the HTTPS Webserver certificates for your non-primary zones.
Edit domain dialog box
Default - When checked, this is the default domain of the Zone.
Enabled - Whether or not the domain is enabled and usable.
Virtual host - Virtual host of the domain.
Description - Detailed description of the domain.
Transport Layer Security (TLS) secures the connection between the user and the workspace.
You can have trouble reaching a zone if a zone certificate expires and HTST is enabled. Consult your browser documentation to learn how to remove the HSTS state in the browser for the zone domain.
You can select only a certificate that contains a private key. While not necessarily, it is best practice to only use certificates which have the full certificate chain imported. By default, HTTP.sys (part of the Windows OS) allows usage of insecure/obsolete protocols, ciphers, key exchange algorithms and hashes for maximum compatibility. As this allows a wide range of browsers to interact with the webserver, it also opens potential opportunities for TLS attacks. For hardening the TLS security, see: TLS Hardening.
Use ACME for automatic certificate renewal - With the ACME client you can automatically request and maintain certificates. If the option is enabled, additional options are displayed:
- Provider - At this moment, only “Let’s Encrypt” is supported. The requested certificate is valid for 90 days. After 60 days, a new certificate will be requested.
- Contact email addresses - The email addresses of the ACME account where ACME errors will be mailed.
The Check ACME certificates predefined scheduled task checks every day if the ACME certificates need to be renewed.
The ACME client uses a certificate itself for authenticating against a provider, this certificate can be found under Manage > System > Certificates after the first certificate has been requested. The requested certificates including the chain are stored at the same place.
Requirements for ACME usage
The provider will check if the zone name belongs to the requester. For this check to be successfully completed, the following requirements must be met:
- The DNS name of the domain must be resolvable on the internet to the Liquit environment
- The Liquit environment must be accessible over port 80 from the internet.
Redirects from HTTP port 80 to HTTPS port 443 are allowed when the redirects include the original request path. For example: http://workspace.liquit.com/.well-known/acme-challenge/[token] redirects to https://workspace.liquit.com/.well-known/acme-challenge/[token]. HTTPS port 443 is not required to have a valid SSL certificate, the ACME challenge mechanism will not validate any certificate.
If the Use ACME for automatic certificate renewal option is not selected, then the Certificate field is displayed where you can select a certificate to secure the webserver. Clicking on the browse button at the right of the lookup field it opens the Certificate dialog box where you can view all the certificates available. If the certificate is not present in the list, you can add it by following the steps described in the Certificates article.