3

I am trying to redirect without a rewrite rule from eg https://www.domain.com to https://www.domain.net . I have a wildcard certificate for *.domain.net . This yields the following warning in my error_log

[warn] RSA server certificate wildcard CommonName (CN) `*.domain.net' does NOT match server name!?

This makes sense and I understand why the warning. I would like to ask if there is a way to use the Redirect directive to accomplish the above without the warnings. Here is my virtual hosts in ssl.conf:

<VirtualHost *:443> SSLEngine on ServerName www.domain.net DocumentRoot /var/www/html/domain SSLOptions -FakeBasicAuth -ExportCertData +StrictRequire +OptRenegotiate -StdEnvVars SSLStrictSNIVHostCheck off </VirtualHost> <VirtualHost *:443> SSLEngine on ServerName www.domain.com ServerAlias www.domain.info Redirect permanent / https://www.domain.net </VirtualHost>

Also, if there is a solution, can it be used for redirection from htps://domain.com to htps://www.domain.com? Thanks a lot!

Improve this question

3 Answers 3

Reset to default
3

Please be aware that the SSL handshake and verification process of the underlying HTTPS connection occurs before the actual request is sent. That means no HTTP response from the server before the authenticity of the server certificate has been verified, not even redirects.

If you only have one endpoint (ie. only 1 public IP address), you'll need to buy a SAN certificate, that is, a certificate with Subject Alternative Names.

That way you could have a wildcard certificate for *.domain.net with the SAN www.domain.com, and you won't get any certificate warnings

For further info, check out an old answer I gave for a similar situation, just with nginx instead of apache

Improve this answer
2

www.domain.com (and for that matter www.domain.info) are not the same domain as www.domain.net, hence the warning. You should have certificates for those domains as well, if you need to avoid this warning.

Improve this answer
-1

From another question ( https://stackoverflow.com/a/53424202/2590491 ):

My solution is: httpS://www.example.com --> http://www.example.net --> httpS://www.example.net

<VirtualHost *:80> ServerName www.example.net Redirect "/" "https://www.example.net/" </VirtualHost> <VirtualHost *:443> ServerName www.example.com #### The Tricky #### Redirect "/" "http://www.example.net/" SSLEngine on # SSLProxyEngine On SSLCertificateFile /path/example_com.crt SSLCertificateKeyFile /path/example_com.key SSLCertificateChainFile /path/DigiCertCA_example_com.crt SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH </VirtualHost> <VirtualHost *:443> ServerName www.example.net ... SSLEngine on # SSLProxyEngine On SSLCertificateFile /path/example_net.crt SSLCertificateKeyFile /path/example_net.key SSLCertificateChainFile /path/DigiCertCA_example_net.crt SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH </VirtualHost>
Improve this answer
1
  • The step in between is completely useless, it only disrupts the encrypted requests. And the worst thing, the user doesn't even notice his connection was not encrypted for one step. Commented Nov 22, 2018 at 6:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.