1

I have multiple virtual hosts on my server, let's say I serve

www.example.com
sub.example.com
www.example.nl

In my DNS config, all points to the same server.

In apache2 config, there's a default config-file for http and one for https, and additional vhosts for the additional sites. I want all near-matches to be redirected to www.example.com. All specific sites have a certificate.

So my files look like this

000-default.conf (redirects to https://www.example.com)
default-ssl.conf (serves https://www.example.com)
sub.example.com.conf (redirects to https://sub.example.com)
sub.example.com-ssl.conf (serves https://sub.example.com)
www.example.nl.conf (redirects to https://www.example.nl)
www.example.nl-ssl.conf (serves https://www.example.nl)

The problem is now that any other request (say, for be-creative.example.nl) defaults to the first loaded configuration. This works for http (000-default will match and redirect), but it does not work for https, because I have no valid certificate loaded for be-creative.example.nl. Therefore I cannot redirect, nor serve a valid page.

If I disable default-ssl.conf, the request is matched by sub.example.com-ssl.conf and the wrong certificate is served still.

Question: How can I handle these requests for which I have no certificate elegantly? How can I redirect to http without first having a valid matching certificate?

Improve this question

1 Answer 1

Reset to default
0
+50

How I solve this on my own sever (CentOS, Apache 2.4) is have a generic page (invalidssl.example.com) with a valid SSL certificate (got a free one from Let's Encrypt) and set that in the default config. That way any https requests to a non-ssl domain will instead show that generic page that contains a nice error message.

To answer your question:

The only way to serve content to a visitor (be it a page, or a forward response) requesting a page over https while not triggering a browser warning is by responding with a valid SSL certificate for the requested domain. I personally see no reason why you would have this issue since free SSL certificates are readily available nowadays (Have a look at Let's Encrypt!).

Improve this answer
5
  • But if someone reached that page from a different URL (blah.example.com) the browser would still first show a "unsafe page!"-message, before he/she would see the nice error message, right?
    – TacoV
    Commented Sep 27, 2016 at 14:51
  • 1
    Oh yeah, that's right! The only way to serve content over https without triggering a browser warning is by using a valid SSL certificate for the domain the visitor requested. I don't think there is any way around this (which is by design, because if you could get around it that would be pretty unsafe)
    – Cas
    Commented Sep 27, 2016 at 14:52
  • 1
    I have this issue mainly since my domains are set to catch-all (*.example.com goes to this server) and Let's Encrypt does not support wildcard certificates. There actually exists a (browser?) message for when you turn of all SSL sites and try https (ERR_SSL_PROTOCOL_ERROR) which is IMO preferable to serving a wrong certificate (ERR_CERT_COMMON_NAME_INVALID).
    – TacoV
    Commented Sep 28, 2016 at 7:30
  • If you have a protocol error, I don't think it will be possible for people to get to the site at all. The only way that I know of how to do this is by actually changing your openssl config so that it does not support the ciphers that the client supports, but then it wouldn't work with a valid cert either. If your visitors don't know too much about apache and openssl configs I don't think any error should be preferred over the other as they'll just go away because they don't understand it anyway. >>
    – Cas
    Commented Sep 28, 2016 at 7:32
  • >> One thing you could do is write a program that scans apache logs for requests to invalid subdomains and periodically requests Let's Encrypt certificates for those subdomains. It isn't ideal but I can't think of a better solution unfortunately.
    – Cas
    Commented Sep 28, 2016 at 7:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .