0

I've an apache running under AWS Elastic beanstalk. I've got several different domains and I want all of them to end in a specific domain name, in HTTPS.

The redirection from other domains e.g. https://domain1.com to https://maindomain.com returns a SSL certificate error.

In apache, I've two virtual host config, one for the *:80, and one for *:443. Both are set for the maindomain.com. They were created with certbot.

What should be the best practice to have this working for all other domains? I guess I need to setup a VirtualHost per domain but how shall it be configured in order to have it working with redirections?

Obviously, the following sample doesn't work as it returns a SSL error:

<IfModule mod_ssl.c>
<VirtualHost domain1.com:443>
        ServerName domain1.com
        RedirectPermanent / https://maindomain.com/
</VirtualHost>
</IfModule>

Here is the default Virtualhost *:80 config

<VirtualHost *:80>
        #ServerName maindomain.com
        DocumentRoot /var/www/html
        <Directory /var/www/html>
                Options -Indexes +FollowSymLinks +MultiViews
                AllowOverride All
                Require all granted
        </Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =maindomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Here is the default Virtualhost *:443 config

<IfModule mod_ssl.c>
<VirtualHost *:443>
        #ServerName maindomain.com
        DocumentRoot /var/www/html
        <Directory /var/www/html>
                Options -Indexes +FollowSymLinks +MultiViews
                AllowOverride All
                Require all granted
        </Directory>
ServerName maindomain.com

SSLCertificateFile /etc/letsencrypt/live/maindomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/maindomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Your help will be very much appreciated. D

poypoy
  • 3
  • 1

1 Answers1

0

Either you get a cert with multiple names in it to cover all domains or looking at the domain scheme you mention, you will get a certificate error at some point.

Browsers theorically look at SAN/CN to match the names found in there and the DNS name they are using to connect, if there is no match you get a certificate error.

If other domains you were using were subdomains, you could at least have either a multiple name cert or a wildcard.

For example for domains:

whatever.example.com you could use a wildcard like *.example.com including a SAN for example.com even.

Also note if you have 1 virtualhost with "example.com" requests for other names reaching your server will be dealt by that same virtualhost, so you either have a certificate with multiple names that matches all cases, or you will have to create a scheme in which you can cover them all through different virtualhosts and certificates. It all depends on what you really want to cover.

Daniel Ferradal
  • 2,415
  • 1
  • 8
  • 13