[users@httpd] HTTPS configuration problem.

[Mark London <mr...@psfc.mit.edu>]

Hi - I inherited a web server from another site.   I requested a 
wildcard certificate for that server.   What I failed to realize, was 
that a wildcard certificate only covers *.XXX.COM.  It won't cover plain 
XXX.COM.   And unfortunately, people mainly connect to the site, using 
XXX.COM   Thus, people who connect to the server using HTTPS://XXX.COM, 
get a warning message, saying that the certificate is not valid.

So I've been trying to find a configuration that redirects 
HTTPS://XXX.COM to HTTPS://WWW.XXX.COM.  Unfortunately, every 
configuration that I've tried, doesn't work.  All of the rewrite and 
redirect rules, are applied after the browser checks the certificate 
against the URL.   Thus, the warning web page always appears.

Is there a configuration to do what I want?  Or will I have to request a 
certificate for XXX.COM?  (And then configure my SSL.CONF to have 2 
virtual hosts, one for WWW.XXX.COM, and one for XXX.COM).   Thanks very 
much. - Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] HTTPS configuration problem.

[Mark Brodis <ma...@colorado4x4.net>]

Do the users actually connect to "https://xxx.com" ?  Or do they go just to
"xxx.com" in their browser and then a load-balancer/SSL-accellerator
somewhere along the way bumps them to https?

If something was bumping them to https then it would be easiest to just
change that 'bumping' to go from "http://xxx.com" to "https://www.xxx.com",
which ofcourse any webserver could do (with a default document with a
meta-refresh), but most content-source-switches or
local-traffic-managers/loadbalancers could do right in the config (i.e.
they respond to the GET / with a HTTP 302 go-over-here, etc), i.e. actually
function as a limited in-line web-server.

Good luck...


On Thu, Apr 17, 2014 at 1:46 PM, Yehuda Katz <ye...@ymkatz.net> wrote:

> On Thu, Apr 17, 2014 at 3:12 PM, Mark London <mr...@psfc.mit.edu> wrote:
>
>> So I've been trying to find a configuration that redirects
>> HTTPS://XXX.COM to HTTPS://WWW.XXX.COM.  Unfortunately, every
>> configuration that I've tried, doesn't work.  All of the rewrite and
>> redirect rules, are applied after the browser checks the certificate
>> against the URL.   Thus, the warning web page always appears.
>>
>
> This is the expected behavior and other than issuing a new certificate and
> using another vhost (with SNI - generally not compatible with Windows XP
> and some other devices) or reissuing the same certificate with an
> additional name, there is no way around this.
>
> - Y
>

Re: [users@httpd] HTTPS configuration problem.

[Mark London <mr...@psfc.mit.edu>]

On 4/17/2014 3:46 PM, Yehuda Katz wrote:
> On Thu, Apr 17, 2014 at 3:12 PM, Mark London <mrl@psfc.mit.edu <ma...@psfc.mit.edu>>wrote:
>
>     So I've been trying to find a configuration that redirects HTTPS://XXX.COMto HTTPS://WWW.XXX.COM.  Unfortunately,
>     every configuration that I've tried, doesn't work.  All of the rewrite and redirect rules, are applied after the
>     browser checks the certificate against the URL.   Thus, the warning web page always appears.
>
>
> This is the expected behavior and other than issuing a new certificate and using another vhost (with SNI - generally 
> not compatible with Windows XP and some other devices) or reissuing the same certificate with an additional name, 
> there is no way around this.

Thanks, that confirms what I thought. - Mark

Re: [users@httpd] HTTPS configuration problem.

[Yehuda Katz <ye...@ymkatz.net>]

On Thu, Apr 17, 2014 at 3:12 PM, Mark London <mr...@psfc.mit.edu> wrote:

> So I've been trying to find a configuration that redirects HTTPS://XXX.COMto
> HTTPS://WWW.XXX.COM.  Unfortunately, every configuration that I've tried,
> doesn't work.  All of the rewrite and redirect rules, are applied after the
> browser checks the certificate against the URL.   Thus, the warning web
> page always appears.
>

This is the expected behavior and other than issuing a new certificate and
using another vhost (with SNI - generally not compatible with Windows XP
and some other devices) or reissuing the same certificate with an
additional name, there is no way around this.

- Y