Advice on a catch all for https incoming but no cert installed

Question

I am trying to think of an elegant way to handle an SSL / HTTPS issue we are having. I have read THIS QUESTION but it raises a slightly larger question in my case.

Say I have these domains installed on my server, each having it's own vhost configuration:

foo.com
bar.com

I have SSLs installed for both foo and for bar. But the customer who owns foo also has a domain widget.com that they want forwarded to foo.com. The only issue is widget.com has no SSL installed. Now normally in a small environment the answer would be to install a certificate for widget -- It's only a few dollars and 10 mins of work .. But when you have 4000+ domains, and at least twice that in "forwarded" domains .. It gets unruly in a hurry.

I am wondering, would self signed certificates for all of these forwarded domains at least get me past the SSL Mismatch screen if someone manually puts the https in front of widget.com ? If self signed doesn't work, what is an elegant solution to get https://widget.com to at least not get the SSL Mismatch error? Is it even possible?

Answer 1

Using self signed certificates is a bad idea. Most people will not, and should not, click through the messages about a bad certificate. Browsers continually make it harder for people to do so.

You could buy certificates for each domain. Or a SAN certificate that has all the domains listed in it.

Or you could just use Let's Encrypt and get free, trusted certificates that update themselves automatically. That's the way I would go. If you are actually talking about 4000 domains, you'd want to take a look at the API rate limiting for letsencrypt and make sure you aren't going to exceed that, but their limits are pretty generous I think.

Alternatively don't host all the redirected domains yourself. I think Cloudflare can do that for you, including SSL certificates, either really cheaply or possibly for free. There are probably similar services to do the same.