I can't use my SSL certificate on subdomains because it is for the top level domain www.tld.com only. When I force it on a subdomain e.g. dev.tld.com I get a warning.
What I want to achieve is a development subdomain on the same shared hosting webspace where I can test under real conditions, especially concerning payment systems where an SSL connection is mostly mandatory.
My question is: Do I have to get an extra certificate or is it possible to just click the warning away and make use of https? Am I obliged to buy a certificate in order to use SSL technically? At least it seems to work once I've told my browser to trust the subdomain ...
The warning is telling you that the domain name listed in the certificate does not match the domain name you browsed to. You will still have an SSL connection. Since you are the one that configured the environment, you can ignore the warning.
Having said that, a wildcard SSL certificate is not much more expensive than one for a single domain (shop around!). I would suggest your next SSL certificate be for a wildcard domain (*.tld.com). That will avoid the issue of the warning entirely.
Related
Introduction
The problem is, in short, this. I've been using 'Virtualmin' for a while now, mainly becuse it works better (in my opinion & for my purposes) than VestaCP, Ajenti, Direct Admin (Evolution), CPanel, Sentora, and most of the 'ISP' series.
In doing this, I could already do just about everything via CLI / FTP, this was just a more coherent option for everyone to work together, and to where others could solve their own problems. Getting used to Virtualmin / Webmin didn't take long, but I've run into a problem that is, for lack of a better word, puzzling.
I run SSL certificates on all of my sites via a combination of 'Let's Encrypt' and sometimes Cloudflare, since I use it to manage DNS and mitigate DDOS attacks (when necessary to turn it on) anyway. In addition, I limit the TLS versions, set my own cipher via the global directives, and enabled HSTS.
Now however, I have a piece of software that, for some reason, can't connect to its REST API if the site is under a SSL layer and / or Proxy. So, I tried to disable the SSL certificate enforcement to temporarily rectify the problem. However, after removing it, I realized that with HSTS enabled, I could no longer travel to the normal 'HTTP' version of the site. I removed the HSTS line in the directives, but it's still persisting.
I'm also getting security warning because of a certificate mismatch happening with Virtualmin. For some reason, SSL certificates on other domains are applying to the current one. I've checked each individual site's .conf file, as well as each one's directives (and SSL Directives), as we as looking for anything that would do it in the global directives. The situation looks kind of like this.
Domains & Tiers
Example.com (Domain One)
--Analytics.Example.com (Sub-domain under the above One)
ExampleTwo.com (Different Domain, 'Domain Two')
--App.ExampleTwo.com (Sub-domain under above 'Two')
Essentially, the SSL certificate from Analytics is being pushed onto the App subdomain (That's under a different domain), in addition to App's own SSL certificate. When I shut off the SSL certificate for Analytics, and the one for App, the top layer's (Example.com) SSL certificate is then forced onto the 'App' sub-domain. I would've thought that this would've had to manifest in either the site directives, their SSL directives, or the SSL.Conf in the global directives, but there's nothing there. I have yet to find a fix for this.
I have a somedomain.com on CloudFlare with free SSL. And I have subdomains: eg. pl.somedomain.com.
SSL works on:
https://somedomain.com
https://www.somedomain.com
https://en.somedomain.com
https://pl.somedomain.com
but not works on:
https://www.pl.somedomain.com
https://www.fr.somedomain.com
So I am looking for some solution these subdomains work.
http://www.fr.somedomain.com redirects to https://www.fr.somedomain.com
and I have error.
Is any solution using .htaccess or Page Rules to do this?
This is a limitation of SSL in general. No browsers support multi-level wildcard certificates and no trusted CA will issue them (in SSL world www. is also counted as sub-domain). The free universal SSL certificate provided by Cloudflare supports the root and wildcard domain on a shared certificate. For more levels, dedicated certificates or custom host names a different certificate is needed.
If you are looking to secure multiple wildcard domains, but want to keep them all under one certificate, than you should go for the Multi-Domain Wildcard SSL certificates.
Multi-Domain Wildcard Certificates can secure both fully-qualified domain names and wildcard domains within their SAN entries. The coverage for a Multi-Domain wildcard certificate would look like this:
Common Name: domain.com
SAN 1: *.website.org
SAN 2: www.example.net
SAN 3: *.mail.site.com
SAN 4: address.edu
I am not sure if you can apply page rules to 2 level deep domain names, but give the following a try (based on tutorial from CloudFlare):
Redirect from pattern:
https://www.*.somedomain.com/*
to:
https://$1.somedomain.com/$2
On the CloudFlare website, they mentioned redirecting by using the redirect option in their control panel.
1. Go to Control panel and select page rules.
2. On page rule section add new URL and make sure to select forwarding option enabled.
3. Enter the destination URL and select the forwarding type.
For example,
Example forwarding to Google+:
Imagine you have a Google+ profile and you want to make it easy for anyone coming to get to simply by going to a URL like:
*www.example.com/+
*example.com/+
Give that a try, and if you are still getting this issue afterward, I advise checking this list of other SSL providers that is free.
I have one website will be accessed by multiple different domains and will have separate SSL certificates for each.
Is it possible?
IF no then Is there any work around to install multiple certificates for single web site?
Instead of having separate SSL certificate for each domain you can go for Multi domain certificate using Subject Alternative Names (SAN). It will be single certificate with multiple domains. Following image shows SAN certificate.
Image Courtesy : DigiCert
SSL Certificate can only be issued to a FQDN (fully qualified domain name).
You better have elaborated your question with examples. By the way, let me guess and try to answer. As you said “You have one website – will be accessed by multiple different domains” - if I'm not wrong your are talking about one website which may be www.domain.com and multiple domains may be sub-domains like, blog.domain.com, photos.domain.com or anything.domain.com. If I have hit bulls eye, you don't need to get different SSL Certificates because all this domain can be secured with single Wildcard SSL Certificate. Wildcard SSL works on asterisk, so it will issued on *.domain.com and anything in place of asterisk will be covered.
But make a note, Wildcard SSL can work only on single level so something like blog.photos.domain.com will not be secured if you have got certificate for *.domain.com
Different Scenario: If you have something like this, domain.com, domain.co.uk, domain.com.eu etc. and it can be secured with different certificates. It may be costly deal if you have 20-30 or more domains, ideally you can get one multi-domain certificate to secure all these. Visit this article which will help you understand difference between Wildcard SSL and SAN functionality more deeply.
I am currently running nginx and have an ssl certification that is only on my domain and no sub domains. I do however have some sub-domains I like to use on the non-ssl so I want to keep my wildcard subdomains.
I was wondering if there was a way to make all ssl subdomains die and not resolve to anything. I would make them redirect but because of my ssl certification, the scary error message pops up before the server redirect them. I would rather have the page come up as nothing.
THanks
Because of how SSL works, you will always have a "scary error message" if someone comes to https://sub.domain.com/ and your SSL certificate doesn't list sub.domain.com as one of its canonical names.
The only ways around this are:
old good "Dedicated IP+Dedicated certificate" for every subdomain you host in SSL
Wildcard certificate
Web server with SNI support in SSL and per subdomain certificates
A certificate with SAN propogated with all your subdomains
Which one to choose depends on your budget and how many browser/OS combinations you have to support.
I hope it answers your question, feel free to clarify it if not.
A co-worker told me that when you visit a website over SSL the certificate no longer guarantees that you're actually dealing with the intended recipient. This is due to something called "multi-domain SSL certificates". A quick google search seems to show these exist - but I was always under the impression SSL provided encryption and authentication. Is this no longer the case? Surely this is a step in the wrong direction?
There are wildcard certificates, which allow all hosts in one domain to be covered by the same cert. They're more expensive to get issued (since the CAs wouldn't make as much money as if you'd ordered multiple separate single-domain certs), but when you need to cover multiple hostnames in your domain with ssl, it can be quite a savings.
A properly issued cert will cover at LEAST one host name, like www.example.com. And with wildcarding, can cover *.example.com.
SSL by itself guarantees nothing in the way of identification - simply that the link is encrypted. Any certificate will do that for you - even self-signed ones. What you get with the "commercial" certs is a (theoretically) trustworthy third party saying "we've verified that the person who this www.example.com certificate was issused to really is www.example.com"
In addition to given answer, i would like to add few points about SAN (multidomain SSL). First of all, wildcard is not a multi-domain ssl, it only protects unlimited sub-domains as already explained by Marc.
To protect multiple domains like:
domain.net
domain.com
mail.domain.com
newdomain.com
you will require SAN certificates that start from just $60.
you can configure multi domain with SSL on both UBUNTU and REDHAT by following the document Multi domian with ssl