CODEWITHSUNDEEP
sslamazon-ec2
user1578872
user1578872

Reputation: 9018

https certificate issue with subdomain

I have my application running on EC2 behind the load balancer. Have got https certificate for www.example.com and *.example.com.

Application is running on http but https is been setup in load balancer.

I have added sub-domain support in my application based on the company.

Like, https://XYZ.example.com for company XYZ.

If i access using, https://XYZ.example.com, its working fine.

If I access using, https://www.XYZ.example.com, browser warns like,

"The owner of www.arun.contactcentral.io has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website."

But, If i access https://www.example.com, it works fine.

Though, I have got certification for *.example.com, it doesnt work even i access www.XYZ.example.com.

I have a filter to handle http to https direction, but still it is not filtering WWW from the url.

public class HttpsFilter implements Filter {

    private static final String HTTP = "http";

    private static final String HTTPS = "https";

    private static final String X_FORWARDED_PROTO = "X-Forwarded-Proto";

    @Override
    public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException {


        HttpServletRequest request = (HttpServletRequest)req;

        HttpServletResponse httpResponse = (HttpServletResponse) res;

        String xfp = request.getHeader(X_FORWARDED_PROTO);

        if (HTTPS.equals(xfp)) {
            //httpResponse.setHeader("Strict-Transport-Security", "max-age=60");

            chain.doFilter(req, res);
            return;
        }
        else if (HTTP.equals(xfp)) {

            String serverUrl = HTTPS+"://"+req.getServerName()+((HttpServletRequest)req).getServletPath();

            httpResponse.sendRedirect(serverUrl);
            return;
        }

    }

}

Thanks, Baskar.S

Upvotes: 0

Views: 495

Answers (1)

Karen B
Karen B

Reputation: 2763

Wildcard SSL certificates will match only ONE level of subdomains (except in very rare and not well supported cases). The wildcard asterisk will not match . (dot).

So, a certificate for *.example.com WILL match

  • www.example.com
  • xyz.example.com
  • some-really-long-name.example.com

but it will NOT match

  • example.com
  • www.xyz.example.com
  • abc.def.ghi.example.com

If you want to match www.xyz.example.com and xyz.example.com, you will need two different certificates.

https://en.wikipedia.org/wiki/Wildcard_certificate#Limitation

Upvotes: 2

Related Questions