4

I have a virtualhost directive that serves up a custom 404 error if invalid subdomain is entered:

<VirtualHost *:80> # the first virtual host
  ServerName site_not_found
  RedirectMatch 404 ^/(?!custom_error)
</VirtualHost>

<VirtualHost *:80>
  ServerName example.com
  ServerAlias ??.example.com
</VirtualHost>

I want to set up a virtualhost to show the same custom error via a HTTPS connection. I have tried the following:

<VirtualHost *:443> # the first virtual host
  ServerName site_not_found
  RedirectMatch 404 ^/(?!custom_error)
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias ??.example.com
# SSL options, other options, and stuff defined here.
</VirtualHost>

But the server would not start and an error is emitted:

Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

It seems that an SSL certificate is required even if the SSLEngine is not turned on for this virtual host. Is there a way to get around the problem besides providing a cert? Turning off the module is not an option since I need SSL for the virtual server example.com.

Question Overflow
  • 2,103
  • 7
  • 30
  • 45
  • See: [Can Https work without a certificate?](http://serverfault.com/q/343442/47187) – Bruno Sep 29 '12 at 12:58
  • 1
    I know this is an old question, but now that it's 2015 there is a service called [Let's Encrypt](https://letsencrypt.org/) that makes the process of installing a valid, publically trusted SSL certificate for small installations like this incredibly easy, and best of all, free. – Mark Henderson Dec 08 '15 at 14:49
  • In my humble opinion this is really silly behavour by apache. This is a "default" https port rather than a requirement to have https configured on the port. I can set up/not set up https on any port I choose. – Pancho May 06 '18 at 12:50

4 Answers4

6

It seems that an SSL certificate is required even if the SSLEngine is not turned on for this virtual host. Is there a way to get around the problem besides providing a cert?

No - when your browser has https in the URL, it expects to talk SSL. it doesn't, it'll fail. Apache is being nice by telling you this, otherwise you'd have some obscure browser errors to comprehend with. Therefore, you'll need to configure SSL in Apache before you can use port 443.

If you don't want browser warnings about it being a bad SSL certificate, you'll need to buy one from a Certificate Authority. You can get a free one from https://cert.startcom.org/ which are becoming accepted in more and more places but probably don't have the same level of recognition as paid ones (especially in older machines). I use this for my development sites and have yet to see a warning about them being untrusted, but then again I only use relatively new OSs/browsers.

Jay
  • 6,544
  • 25
  • 34
  • 1
    The server failed to start. It has nothing to do with the browser. – Question Overflow Sep 29 '12 at 10:08
  • I made my answer clearer: you need to setup SSL certs to use the SSL port. – Jay Sep 29 '12 at 10:09
  • Ok, I get what you mean -- there is no way to avoid not having a cert. Thanks for the freebee :) – Question Overflow Sep 29 '12 at 10:27
  • I don't agree that Apache is doing anyone any favours with this "rule". It should be the server administrator's prerogative to configure a server as desired, selecting whatever ports desired to communicate via the chosen protocols. – Pancho May 06 '18 at 12:58
  • 1
    @Pancho It does, but you can not have name-based virtual hosts with and without SSL on the same port, as the SSL handshake is the first thing that happens after the connection has been established. It is indeed possible to have a non-ssl webserver listening on port 443, as long as the SSLEngine is disabled for every virtual host on that port. However, it will result in an error if any browser tries to connect there with SSL. You would need to access it like `http://domain:443/`. – Bachsau Mar 10 '20 at 21:56
2

Yes, there is a way:

Configure your Apache's Listen Directive (on Ubuntu /etc/apache2/ports.conf)

There will be something in it like: Listen *:443

You can enforce HTTP on it by adding the Protocol to that:

Listen *:443 http

That way Apache2 is able to listen on Port 443 as a simple HTTP Server

Found here: https://httpd.apache.org/docs/2.4/bind.html

Community
  • 1
mmeier
  • 21
  • 1
  • I use a ServerName www.a.b.c => RewriteRule (.*) https://a.b.c . Then I have another full ServerName a.b.c ..... which enables SSLEngine, has the cert etc etc. This approach allows me to purchase a single cert for domain a.b.c and not to care whether people come in on https://a.b.c or https://www.a.b.c. The Apache implementation breaks this and sadly although yours is a great approach I don't think it helps me – Pancho May 06 '18 at 15:54
0

I found a simple redirect solution that works a treat added inside your sites vhost after your <VirtualHost xxx.xxx.xxx.xxx:80> entry...

<VirtualHost xxx.xxx.xxx.xxx:443>

    #ServerName www.HttpSiteDomainName.com

    #ServerAlias HttpSiteDomainName.com

    #DocumentRoot /WhereeverSiteIsOnServer

    Redirect 301 / http://www.HttpSiteDomainName.com/

</VirtualHost>
  1. xxx.xxx.xxx.xxx is your site server IP
  2. Replace 'HttpSiteDomainName.com' with the site domain name and extension
  3. Dont forget to test and restart Apache for your server
  4. I added the #comments for reference but you can uncomment and should still work

Now when you go to the https of the site, it will redirect to http

ProDev
  • 1
  • 1
0

Ignoring the Apache error due to not having any SSL certs, what you're attempting to do is not possible unless you create or buy a wildcard certificate to cover the "invalid" subdomains.

If all your clients are internal you could create a mini signing authority and install all the CA cert on all of your boxes.

If your clients are external then you will have to buy a wildcard certificate which costs around 600 USD

Alastair McCormack
  • 2,184
  • 1
  • 15
  • 22
  • 1
    `wildcard certificate which costs around 600 USD`. No they don't. – Jay Sep 29 '12 at 11:00
  • @jay - ok, I should have been clearer. They *can* cost 600 USD depending on your requirements for a wildcard cert. I buy mine from Digicert as I require unlimited CSR signing for multiple private keys and unlimited SANs. – Alastair McCormack Sep 30 '12 at 12:16