For the 3rd custom, it seems to be working fine because it’s well targeting the expected domain.
Could this be the reason why the firewall of our client prevents them from accessing custom-domain-1.tld?
Do you have any suggestions on how to solve this?
Concerning the certificate, we generate one certificate that is valid for all the domains of your application. If you go to the details of the certificate, you can see a section “Certificate Subject Alternative Name” that should contain all your domains related to your application. This is called a SAN certificate (more info there)
Yes, that’s the application.
I just sent you a PM with the full screenshot from our client who’s trying to explain the issue they are facing.
Here is a version where I removed the URL:
I told them that it looks like it’s an issue with their firewall (Fortinet) but the client IT team thinks it’s coming from us because the app is accessible 80% of the time.
Here is their answer:
Hello,
I contacted the IT department. In his opinion, the problem is not with our firewall as the platform is accessible 80% of the time. He thinks the problem is with the certificate.
To answer your question, yesterday I can confirm that the message also appeared on my phone - which is not always the case.
Thanks a lot for the details about a SAN certificate
This is strange because the certificate is valid (you can check also on ssllabs.com the validity) + is valid since more than 1 month ago.
The fact that “the app is accessible 80% of the time” seems weird if this was a certificate issue (this should be either always accessible or never accessible).
I would recommend they should ask for Fortinet support to give a look at their issue, maybe there is some misconfiguration on their side.
Don’t hesitate to keep us posted if you have additional info.
The CN corresponds to one domain chosen among the ones defined on your application side. As there is no constraint with a SAN certificate as all other domain are defined in the “alternate names” of the certificate, we just take the first one we found when we generate the certificate.
You should see the same CN no matter the domain you visit (so only 1 domain should have the same CN of the certificate)