0

I have a Jenkins install at ci.example.com, and a static site at example.com. The Jenkins install is configured to use HTTPS exclusively. I'm a cheapskate, so I only have a certificate for the ci.example.com domain. My Apache config looks like this:

<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/html
    ErrorDocument 404 /404.html
</VirtualHost>

<VirtualHost *:80>
    ServerName ci.example.com
    Redirect permanent / https://ci.example.com
</VirtualHost>

<VirtualHost *:443>
    ServerName https://ci.example.com
    ServerAlias ci
    SSLEngine on
    SSLCertificateKeyFile /etc/apache2/ssl/ci.example.com.key
    SSLCertificateFile /etc/apache2/ssl/ci.example.com.crt
    SSLCertificateChainFile /etc/apache2/ssl/ci.example.com.ca-bundle

    # Some proxy magic to make Jenkins work
</VirtualHost>

(actually, this is an Ubuntu machine, so I just pulled the relevant site config files and concatenated them; there's lots of other mostly-irrelevant config stuff in other files)

When I navigate to https://example.com, I get a certificate error, because Apache is choosing the only available vhost on port 443. Is it possible to give the user a less-scary-looking connection refused error?

This answer says I can't just redirect from HTTPS to HTTP without a cert, which makes sense since you need to establish an SSL connection (with a cert) before you can send a 3xx. But I don't want to send a 3xx (or a 4xx, for that matter). I just want to refuse the connection entirely. Is there any way to do that?

Community
  • 1
Kevin
  • 466
  • 5
  • 10

2 Answers2

2

With your current setup:

No, you can't just refuse the connection..
that is, without also refusing connections to the ci.example.com vHost.

Bite the bullet and get a cert for the additional hostnames, or get a wildcard cert, or use cloudlfare, etc or accept the browser warnings when people try to use HTTPS for a vhost for which you have no cert.

Alternatively:

Host ci.example.com. on a different IP address than example.com.
On the IP used for example.com, don't listen on 443.
This will result in the refused connection that you seek.

(it may not, however, be consistent with your stated cheapskate status)

Joe Sniderman
  • 2,809
  • 1
  • 22
  • 26
1

You're not cheap, you're lazy. Go get a free certificate and hope that your clients support SNI.

84104
  • 12,905
  • 6
  • 45
  • 76
  • I just tried to sign up for StartSSL. First, I got repeated SSL errors on their signup page, and then after providing my information, I got an HTTP 405 saying "if you are a human, this should never have happened." Frankly, this does not inspire confidence. – Kevin Mar 13 '15 at 02:07