Configure SSL for Apache Reverse Proxy

Question

I want to redirect HTTPS connections to my domain towards a unique subdomain using Apache2 reverse proxy. I want all the connections that come to a.example.com to be redirected towards $random$.b.example.com. To generate the random value I have a script running on port 3000, all requests for a.example.com are proxied to my script which sends back a reply to client with the 302 redirect code and the new domain $random$.b.example.com and then all connections towards $random$.b.example.com are supposed to be served normally.

I have key and certificates for a.example.com and $random$.b.example.com (wildcard certificate *.b.example.com). However when my client receives the redirect it throws invalid peer certificate: CertNotValidForName and does not move on to query $random$.b.example.com. What am I doing wrong?

My virtual hosts look like this:

IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName a.example.com

                SSLProxyEngine on
                ProxyPass / http://localhost:3000/
                ProxyPassReverse / http://localhost:3000/

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log vhost_combined
                SSLEngine on
                SSLCertificateFile      /etc/apache2/ssl/wildcard_domain.pem
                SSLCertificateKeyFile /etc/apache2/ssl/wildcard_domain.key
        </VirtualHost>
        <VirtualHost *:443>
                ServerAdmin webmaster@localhost
                ServerName b.example.com
                ServerAlias *.b.example.com
                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log vhost_combined
                SSLEngine on

                SSLCertificateFile      /etc/apache2/ssl/wildcard_domain.pem
                SSLCertificateKeyFile /etc/apache2/ssl/wildcard_domain.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                Alias /data /path/to/data
                <Directory /path/to/data>
                    Options Indexes FollowSymLinks
                    AllowOverride All
                    Require all granted
            </Directory>

        </VirtualHost>
</IfModule>

Answer 1

The error you get means that the subject alternative names in the certificate do not match the hostname from the URL you visit.

According to your config you seem to use the same certificate both for a.example.com and *.b.example.com. You get this error then because the certificate is not valid for both domains, i.e. you either get the certificate error before the redirect (when visiting a.example.com) or after (when visiting whatever.b.example.com).

The fix is to either use a certificate which covers both names or use two different certificates in your configuration, one for a.example.com and another which covers b.example.com and *.b.example.com. Note that a certificate for *.example.com will cover only a.example.com and b.example.com but not *.b.example.com.