nginx 301 redirect not working for 443 ssl, why..? - ssl

I'm trying to redirect from an old domain to a new one.
The old domain used to have an SSL cert, but it doesn't any more.
So I need to 301 redirect these:
http://olddomain.co.uk
http://www.olddomain.co.uk
https://olddomain.co.uk
https://www.olddomain.co.uk
All to: https://www.newdomain.co.uk
This is my config:
server {
listen 80;
listen 443 ssl;
server_name olddomain.co.uk www.olddomain.co.uk;
return 301 https://www.newdomain.co.uk;
}
I'm using http://www.redirect-checker.org to test.
Both of the http URL's redirect fine, however the https URL's are not found at all, as if this server directive doesn't catch the https URL's.
Is that because I need an SSL cert even though I'm not serving anything..?
Is an SSL cert still needed, just to redirect..?
If not, why would this not work..?
EDIT
To be clear, I don't see cert errors, Chrome says "This site can't be reached", it does't say anything about a cert. redirect-checker.org says "no URLs found".
EDIT 2
I've found another .conf file, which is working (all 4 url's, inc 2 https, redirecting, without a cert installed). This is copy-pasted:
server {
listen 80;
listen 443 ssl;
server_name thepreventduty.com www.thepreventduty.com;
return 301 $scheme://www.thepreventduty.co.uk$request_uri;
}
These all redirect:
http://thepreventduty.com
http://www.thepreventduty.com
https://thepreventduty.com
https://www.thepreventduty.com
To https://www.thepreventduty.co.uk, and I don't have an ssl cert for thepreventduty.com.
You can see if works here: http://www.redirect-checker.org/
When I add another .conf for another domain (I'm using include websites/*.conf; in nginx.conf), exact same server directive, just the domain names changed - it doesn't work!
Why..?

HTTPS connection means HTTP connections in SSL-session.
For establishing SSL-session you need certificate and key.
From official site of nginx:
To configure an HTTPS server, the ssl parameter must be enabled on listening sockets in the server block, and the locations of the server certificate and private key files should be specified
So, you need specify locations of certificate and key.
In case of incorrect SSL you will get cert error before redirect.
I recommend you use acme.sh for getting valid certificate and key.
At first, you need temporary disable redirects and specify root directory of old domain.
Then follow instruction:
https://github.com/Neilpang/acme.sh
Once it is done, enable redirect back.

Related

SSL for pointed domains

I have an app that is "multi-domain", Other domain just have to point to the IP address to run on my app on the web-server.
Using letsencrypt, I have also generated SSL for those pointed domain using "HTTP" challenges.
Now, my problem is - how do I tell my webserver to read that generated SSL files for the pointed domain.
They are not hosted on my server with config settings. They are just pointed with the IP address to my App and My app renders the content based on a domain name.
I am using VestaCP to manage server, domain, and email
Pointed domains have no config file on my server. They work on the web-application level.
How do I set https for that pointed domain? On a note, I already have valid SSL files - just not sure, where to post or point them, since there is no config.
Can they be kept using "htaccess" or at a web-application level?
E.g, My app runs at "http://example.com" and shows content for example.com, and for the second domain that is pointed to my server "http://anotherExample.com" - my app shows the content for "anotherExample.com" and so on and so forth. "example.com" is hosted on my server with Nginx and apache config, so SSL is set. But anotherExample.com is not hosted on server level but only at the app level - now, where do I set SSL for it? I have already successfully generated SSL using letsencrypt with HTTP challenge.
Update: I run a platform like Blogspot.com Multi-Domain blogs - How to serve SSL for pointed domain?
Thanks
I don't think what you want is directly possible. From your question, I think you are creating multiple A records which points to your application IP address, from which your application decides what data to serve.
So what you have to do is to get SSL certificate for each and every domain you want to serve. Then configure the web server to send the corresponding certificate. This can be done easily with most web servers. Eg: On nginx
server {
listen *:443 ssl;
server_name domain1.com;
ssl_certificate /path/to/domain1.crt;
ssl_certificate_key /path/to/domain1.key;
...
}
server {
listen *:443 ssl;
server_name domain2.com;
ssl_certificate /path/to/domain2.crt;
ssl_certificate_key /path/to/domain2.key;
...
}
Incase you are serving on different subdomains like domain1.example.com and domain2.example.com, then you could get a wildcard certificate which will do the trick.

nginx returns SSL certificate for subdomain that should have no certificate

I have a nginx server that manages a few domains and subdomains. There are some subdomains that have an own SSL certificate and they work fine. The problem is that if I try to open blablabla.mydomain.com (this subdomain is not configured in nginx) then firefox shows me an error "Connection is not secure" and "The certificate is only valid for xyz.mydomain.com" (this domain is configured with SSL and works well)
The same happens when I open the root domain mydomain.com. Then the server also returns the certificate for xyz.mydomain.com which is rejected by firefox.
I only want nginx to return the SSL certificate for domains/subdomains I explicitly have configured HTTPS. For what I understand, my configuration should be doing exactly this.
I configured all my https-subdomains like this:
server {
listen 443 ssl;
server_name xyz.mydomain.com;
root /var/www/xyz.mydomain/;
ssl on;
ssl_certificate /etc/letsencrypt/live/xyz.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xyz.mydomain.com/privkey.pem;
...
}
The root domain (which should have no SSL) is configured like this:
server {
listen 80;
server_name mydomain.com;
return http://some-redirection.com;
}
There is no SSL server block for this domain. Nor is for the other subdomains that do not exist. So why does nginx in these cases return the certificate for xyz.mydomain.com?
I don't use any wildcards in my server config. Is there some way to debug this? I mean, there must be a reason why nginx always returns the certificate for xyz.mydomain.com for every non-configured domain/subdomain. Why not another configured and working certificate?
I use an Ubuntu 14.04 server with nginx 1.4.6
If you need more info on my config, let me know
EDIT: I think I know why my config does not work. When using https the client encrypts also the domain name and this causes nginx to try all available server defintions. When it doesn't find one it returns the last one? And xyz.mydomain.com seems to be the last one (alphabetically)
So is there a way to avoid this? Would I have to create a ssl cert for every other subdomain?

Nginx serves different website (on the same sever) when using HTTPS

I have several websites hosted on the same sever. To simplify I have just 2 (http-only.com and https.com) and using nginx to handle requests.
One has SSL enabled. And another doesn't. I noticed links like this in Google Search Console http-only.com/https_server_path and when accessing an http-only.com server with https protocol I get requests served by an https.com server instead.
https.com:
server {
listen 443 ssl;
server_name https.com;
ssl on;
}
only-http.com:
server {
listen 80;
server_name only-http.com;
}
I think I should define something like a default ssl server to handle ssl for http.com, but don't know how to do it properly. I guess nginx should redirect https request to an http url if corresponding server doesn't handle https. Or maybe there is a better solution?

Multiple Domains SEO SSL Redirect Avoiding Loop Errors

I have 4 domains in my server:
domain1.com
domain2.net
domain3.com
domain4.net
The primary and SSL enabled is: domain1.com
I try a SEO permanent 301 redirection of all of them to https://www.domain1.com and works fine, the problem is that when someone tries to access any secondary domain prefixing it with https the redirection doest work.
Example: domain2.net (or any other of those with https prefix) will not redirect to https://www.domain1.com and get a SSL certificate error.
I believe this is because SSL request uses a different port: 443 and all the Rewrite Rules i made are just for 80 port.
Please help!
You get the SSL certificate error because the certificate does not match the name of the accessed server. Any redirects will only be done after establishing the SSL connection, which means you need to have a valid certificate for each domain you want to redirect from.

Nginx Redirect Subdomain with SSL

So I've got this port 80 redirect working fine
server {
listen 80;
server_name "~^(?<subdomain>.+)\.site-box\.it$";
rewrite ^(.*)$ https://$subdomain.sitebox.co permanent;
}
But I want https to work too, because some old links are left around that have https://guy.site-box.it
But this doesn't work
server {
listen 443;
server_name "~^(?<subdomain>.+)\.site-box\.it$";
rewrite ^(.*)$ https://$subdomain.sitebox.co permanent;
}
It seems to cause nothing in the Nginx conf file to work. I just get cloudflare errors on the main site, and on the testing guy.site-box.it it just says page is not available.
Any idea how to get the SSL subdomain to work?
First of all you need 2 certificates: for subdomain.site-box.it and for subdomain.sitebox.co. If you have wildcard certificate - good, can use one server block. If you have separate certificate - need to create one server for each subdomain (because certificate paths are different).
Also, you need openssl with SNI support (well, almost all modern version has) and check browser/os support. SNI - it's for https name-based hosting.
Also, better use return 301 instead of rewrite. return 301 https://$subdomain.sitebox.co much better.
And finally you server block not configured well. You forgot ssl keyword and certificate paths.
server {
listen 443 ssl;
ssl_certificate ... ;
ssl_certificate_key ... ;
}