Hey
Like the subject says I need to rewrite https://domain.com => https://www.domain.com. But I have a wildcard SSL setup for the domain and the root domain does not match *.domain.com, thus the browser brings up an error
domain.com uses an invalid security certificate.
The certificate is only valid for *.domain.com
This is my current vhost config
<VirtualHost 127.0.0.1:443>
ServerAdmin user@domain.com
DocumentRoot /usr/local/app/domain/webapps/www
JkMount /* somestuff
ServerName domain. com
ServerAlias www.domain.com
ErrorLog logs/domain.com-error_log
CustomLog logs/domain.com-access_log combined
Customlog logs/domain.com-deflate_log deflate
RewriteEngine on
RewriteCond %{HTTP_HOST} ^domain\.com [NC]
RewriteRule ^/?(.*) https://www.domain.com/$1 [L,R,NE]
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/x.domain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/x.domain.com.key
</VirtualHost>
I was hoping that the RewriteEngine would kick in before the SSL is loaded but doesn't work. Is this solvable without getting a new cert that is just for the root domain ?
-
Unfortunately the name that the client is talking to is checked against the certificate by the client, not the server. As far as the client is concerned it is talking to domain.com not <something>.domain.com - it will be unaware of any URL rewriting that is being done at the server end.
So you will need an extra certificate for the other name to avoid certificate errors.
serverninja : This is correct. SSL negotiation will always happen first.Olaf : One could argue that it's rather "fortunate" that the client checks itself, not unfortunate. If the redirect could happen prior to SSL negotiation, traffic would obviously not be encrypted and a man in the middle could redirect the client anywhere they want to. This extra certificate usually costs money, which is unfortunate :)Olaf : Also, you might be able to get both, the wildcard and the toplevel domain in just one certificate - see the answers to http://serverfault.com/questions/87005/can-i-buy-just-one-ssl-cert-for-a-subdomain. I've not tried that, but this way you could work with just one certificate (and on the same IP address) instead of requiring an extra IP address just for the top level address.David Spillett : I agre, but it is unfortunate for the person asking the question as it impacts what is trying to do (serve both addresses so redirection works smoothly but with one certificate). Security is a GoodThing(tm), unfortunately being secure isn't always convinient.From David Spillett -
The host headers are (normally) not visible without terminating the SSL connection, so the certificate needs to be valid for whatever the client is entering... you could rewrite http://domain.com to https://www.domain.com though (why the heck did the comment code remove the www. when it made the examples into an url for? ^^)
From Oskar Duveborn
0 comments:
Post a Comment