I guess I am trying to do three things at once, but I am trying to:
direct example.com to example.com.au
direct example.com.au to www.example.com.au
direct HTTP to HTTP
That is, four variations all directed to the HTTPS version.
Here are the sections in the configuration file:
<VirtualHost *:80>
ServerName example.com.au
ServerAlias www.example.com.au example.com www.example.com
ServerAdmin …
Redirect permanent / https://www.example.com.au/
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com.au:443
ServerAlias example.com.au www.example.com example.com
ServerAdmin …
VirtualDocumentRoot /whatever/example.com/www
CustomLog logs/example.log combined env=!dontlog
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.example.com.au/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com.au/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com.au/chain.pem
</VirtualHost>
The problem is that although the redirection appears to be working, the certificate doesn’t seem to apply. When I attempt to open the following in my browser (without the www):
https://example.com.au/
I get the following message:
The certificate is only valid for www.example.com.au
Now I thought that the redirect should tell the browser that it’s really going to https://www.example.com.au, but:
the address bar stays the same
the certificate is invalid, presumably because the address bar stays the same
The question is: How do I configure the virtual host to redirect these variations to SSL using the one certificate?
My DNS server is properly set up (all names resolve correctly) and the LetsEncrypt is correct and current. Only the domain has been changed to protect the innocent.
The reason for the warning is: your browser, when trying to reach https://example.com.au/, can't trust that 301 Redirect respond really came from example.com.au, since there is no such hostname in the certificate.
Since you are already using Let's encrypt certs, all you need is to split your :443 VirtualHost into 4 separate vhosts, each with its own cert, and then configure 3 of them with redirection to https://www.example.com.au/ (or, if possible, get a cert that will match all needed hostnames).
Related
I have one SSL certificate from GoDaddy (Standard UCC SSL Certificate for up to 5 sub/domains) and two virtual hosts configuration on Apache2.
I can install SSL certificate one every of them separately and they works fine until I add second one.
When the second HTTPS config is added (...), then I am getting kind of weird redirects from one.abc.com to two.abc or vice versa.
I am using the same certificate files for both configs, because it the same Multisite SSL certificate.
F.ex.:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.abc.com
DocumentRoot /var/www/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subd2.abc.com
DocumentRoot /var/www/test2
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
What I am doing wrong?
This:
Now - I understand that because SSL wraps around the HTTP request,
there's no way to know which host is being requested until a public
key has been sent to the client first. This essentially breaks the
possibility of SSL virtual hosts using a standard SSL certificate.
from
https://serverfault.com/questions/113076/apache-ssl-virtualhosts-on-a-single-ip-using-ucc-san-certificate
Lead me to idea that problem is simple that in case of abc.com server just do not know which HTTPS server (www.abc.com or subd2.abc.com) config to take and simply take the first one. Tests that approved.
From that comes second question / conclusion - do I have configuration for domain abc.com. And it has not, I just have it defined as ServerAlias in www.abc.com config.
When I removed from ServerAlias and created configuration with for abc.com and with redirect, than all stays in their places.
We have two domains (gis4business.co.uk and gis4business.com) that point to the same website hosted using apache. We are using SSL for the entire site and have a wildcard SSL certificate for *.gis4business.co.uk.
The default apache conf file (000-default.conf) has a single virtual host configured to redirect from http to https as follows:
<VirtualHost *:80>
...
Redirect permanent "/" "https://www.gis4business.co.uk/"
</VirtualHost>
Then we have a default SSL config file (default-ssl.conf) that has single a virtual host configured as follows:
<VirtualHost _default_:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
This configuration is working as expected for the following urls:
http://www.gis4business.co.uk
http://www.gis4business.com
https://www.gis4business.co.uk
However, the url https://www.gis4business.com results in a certificate warning (SSL_ERROR_BAD_CERT_DOMAIN in firefox and ERR_CERT_COMMON_NAME_INVALID in chrome).
Its obviously complaining about the SSL certificate not matching the domain (gis4business.com), so I assume we need an HTTPS redirect from gis4business.com to gis4business.co.uk. We have experimented with various configurations and haven't managed to get a redirect working.
We have tried:
1) Adding another virtual host (*:443) to the top of the 000-default.conf file as follows:
<VirtualHost *:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
Redirect permanent "/" "https://www.gis4business.co.uk/"
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
2) Adding another virtual host (default:443) to the top of the default-ssl.conf file as follows:
<VirtualHost _default_:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
Redirect permanent "/" "https://www.gis4business.co.uk/"
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
If redirection of https from one domain to another is possible without certificate errors, then what is the correct configuration to make it work?
Let's see how the redirect directive works
The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.
The first request is processed by apache generating a 30x response to automatically redirect browser to the new URL
browser SERVER SSL cert
https://www.gis4business.com --> redirect *.gis4business.co.uk
302-redirect <--
https://www.gis4business.co.uk/ --> process *.gis4business.co.uk
The first request is served from https://www.gis4business.com using a certificate issued to *.gis4business.co.uk, so it is considered invalid consequently
To fix it you need to use a certificate issued to www.gis4business.com or *.gis4business.com. Define a new virtual host or request a new certificate with both hostnames.
I have recently moved a website from my old web server with 123-reg.co.uk to a new Linode web server hosted with Linode.
I am running Apache with Debian 8.9.
123-reg provided me with an SSL certificate for my website which, of course, was deactivated when I moved the website to the new server. So I set to work manually reactivating the certificate on my new server.
I was able to get the necessary SSL files (CA Bundle, Key and Certificate) from 123-reg and I followed Linode's instructions to setup the SSL certificate on their servers using the following tutorials:
First tutorial and
second tutorial.
Here is the site's config file:
<VirtualHost *:80>
# All of the files here exist on the server
SSLEngine On
SSLCertificateFile /etc/ssl/certs/zetec-it.com.crt
SSLCertificateKeyFile /etc/ssl/private/zetec-it.com.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
The setup seems legit, but when I attempt to access the website via https the browser states that the connection isn't secure.
I'm fairly new to server admin; does anyone have any suggestions or potential solutions?
You need a VirtualHost which is listening on port 443 in order to have working HTTPS. You configured your VirtualHost to listen on Port 80 while having SSLEngine On.
In order to get https working you would only need to change <VirtualHost *:80> to <VirtualHost *:443>.
Once you did that, you would not have a configuration that handles http connections to (there would not be any VirtualHost waiting for connections for ServerName zetec-it.com).
There are generally to ways to go to serve http connections requesting the same hostname:
You redirect them to https using something like this (uses mod_rewrite in order to redirect to the same path):
<VirtualHost *:80>
ServerName zetec-it.com
ServerAlias www.zetec-it.com
RewriteEngine on
RewriteRule ^ https://zetec-it.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
You deliver the same content through http as well
<VirtualHost *:80>
# All of the files here exist on the server
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
Either way you need two config files, the https one (which is basically your example from above, remember to replace 80 with 443) and one for http which I gave you 2 examples for.
You can put them into separate files, remember to activate them in this case.
I know there are many similar questions to this, but none of the solutions worked for me.
I recently added SSL to my site with a Let's Encrypt certificate. I am now in the process of forcing all traffic to https, but I have 1 case that I cannot get to work properly.
If the user types in http://www.example.com/page/, it gets redirected to https://www.example.compage. By dropping the final / from the url base, it prevents users from accessing that page directly.
However, http://www.example.com/page, http://example.com/page/, http://example.com/page all work fine. This behavior is the same whether or not the http:// is included.
I am doing the redirect without mod_rewrite per the Apache documentation.
Here is my httpd.conf
<VirtualHost *:80>
ServerName http://example.com/
ServerAlias http://www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
SSLEngine on
SSLCertificateFile /path/cert.pem
SSLCertificateKeyFile /path/privkey.pem
</VirtualHost>
The appropriate SSLxx values are set in ssl.conf as well to point to my cert, key, and chain.
Any help is appreciated, as that /page/ is where users would log into my site, so it is critical and often bookmarked.
I found the answer here: https://superuser.com/questions/751562/ssl-redirect-in-virtualhost-causing-url-to-break
Basically, you have to redirect to https://www.example.com\/
Apparently Apache tries to strip the final slash if its not escaped for whatever reason.
My understanding is there is a problem with having multiple certificates on a single IP as SSL is negotiated before HTTP happens, however what we can do is Service Name Indication (SNI) in TLS to get around this. According to the SNI wikipedia page both Apache 2 modules mod_ssl and mod_gnutls support this extension and also numerous web clients.
I have been trying to use mod_gnutls on centos 5. I have two separate certificates for two domains but only 1 IP. Each works independently but when I put both into the config at once only the first will work. Any https connection on domain2 shows domain1's certificate.
My config looks like this:
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.domain1.com
ServerAlias www.domain1.com
DocumentRoot /var/www/html/domain1
GnuTLSEnable on
GnuTLSCertificateFile /etc/pki/tls/certs/www.domain1.crt
GnuTLSKeyFile /etc/pki/tls/domain1/private.key
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/domain2
ServerName www.domain2.com
ServerAlias www.domain2.com
GnuTLSEnable on
GnuTLSCertificateFile /etc/pki/tls/certs/domain2.crt
GnuTLSKeyFile /etc/pki/tls/domain2/private.key
</VirtualHost>
Any ideas? Really been scratching my head over this.
Many thanks