Reputation: 13
vhosts without SSL cert setup redirect to other vhosts that use SSL
I'm running apache with on a multi-tenant server with vhost sites configured.
So I have a vhost for domain1.com that has SSL cert defined in the vhost file. Then I have domain2.com that does not have SSL cert defined. If I visit https://domain2.com, the browser pulls up the website for domain1.com, then of course displays a broken SSL cert warning in the browser.
The way I'm trying to correct this is:
First, in the vhost.conf file for domain2 I've put this:
<VirtualHost ip:443>
ServerName domain2.com
DocumentRoot /var/www/domain2/
SSLEngine on
SSLCertificateFile /var/certs/cert.crt
SSLCertificateKeyFile /var/certs/cert.key
Redirect permanent / http://www.domain2.com
</VirtualHost>
Of course this client doesn't actually own their own SSL certificate, so I'm pointing it to a certificate file for one of our domains. This in some instances gives a certificate warning to the user when they visit https://www.domain2.com or https://domain2.com. (in Chrome I can go to https://domain2.com and get redirected without a warning)
Of course generating a self-signed cert to use for this purpose also throws a cert warning. If I remove the "SSLEngine On" directive so I don't have to specify a cert at all, it essentially breaks SSL on the entire server and no sites work right.
How can I successfully do this without having to worry about users getting the certificate warning, and simply redirect all their HTTPS requests for domain2.com to HTTP?
Upvotes: 1
Views: 1674
Answers (1)
Reputation: 123541
You can't.
The only way to have a proper redirect without certificate warnings is to have a proper certificate for the domain you want to redirect from.
A redirect is done at the HTTP level, that is inside the TLS tunnel created by the HTTPS connection. Thus the clients first needs to create the TLS connection before it can get the redirect. But creating the TLS connection already results in the certificate issue because name in the URL and in the certificate do not match.
Another way is to move all SSL hosts to one IP address and all other hosts to another IP address. This way the client will not get a certificate warning but will see that there is no HTTPS on this address.
Upvotes: 2
Related Questions
- Apache delivering wrong SSL-Cert
- Apache Vhosts HTTP and HTTPS (both) redirect to another domain
- How to redirect HTTPS requests to HTTP without a certificate (Apache VirtualHosts) and avoid a certificate warning
- apache redirects automatically to https when virtualhost is configured on port 80
- Apache Redirecting Undefined Domains and Default Site
- Apache: disable redirecting to default vhost on mismatching server name
- Same server, both SSL and non-SSL
- Apache virtual hosts with multiple domains
- How do I properly handle multiple VirtualHosts on one server with only one having SSL?
- Apache with Multiple vhosts. SSL to apply to only one of them