0

I have a apache2 conf file which should proxy to a internal host. For some reason it works in all situations exception for one. I have a default website setup which acts as a default site. This default site has a dedicated SSL certificate. When the routing goes wrong, I get a security error because the routing to the correct host is incorrect and it falls back to the default host.

This is the configuration I have setup for a virtual host.

<VirtualHost www.example.co.uk:80>
    ServerName www.example.co.uk
    Redirect permanent / https://example.co.uk/
</VirtualHost>

<VirtualHost example.co.uk:80>
    ServerName example.co.uk
    Redirect permanent / https://example.co.uk/
</VirtualHost>

<VirtualHost www.example.co.uk:443>
    ServerName www.example.co.uk
    Redirect permanent / https://example.co.uk/
</VirtualHost>

<VirtualHost example.co.uk:443>
    ServerName example.co.uk
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/example.co.uk/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.co.uk/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.co.uk/fullchain.pem
    SSLCACertificateFile /etc/letsencrypt/live/example.co.uk/cert.pem
    ProxyPreserveHost On
    ProxyPass / http://192.168.122.122:8080/
    ProxyPassReverse / http://192.168.122.122:8080/
</VirtualHost>

The routes that work:

http://example.co.uk

http://www.example.co.uk

https://example.co.uk

The route that doesn't work:

https://www.example.co.uk

As far as I can see all the routes are correct and should direct as they should. I have also tried the variation of the :443 virtual hosts to not include the "http". Any advice would be appreciated.

EDIT

As per advice, I have modified the www.example.co.uk:443 host to include the same as the SSL using:

<VirtualHost www.example.co.uk:443>
    ServerName www.example.co.uk
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/example.co.uk/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.co.uk/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.co.uk/fullchain.pem
    SSLCACertificateFile /etc/letsencrypt/live/example.co.uk/cert.pem
    ProxyPreserveHost On
    ProxyPass / http://192.168.122.122:8080/
    ProxyPassReverse / http://192.168.122.122:8080/
</VirtualHost>

Still no luck

Jono_2007
  • 123
  • 3
  • (FTR) neardupe http://serverfault.com/questions/367818/redirecting-ssl-without-raising-an-alert and crosssite http://stackoverflow.com/questions/27673013/redirecting-https-www-to-https-non-www-without-seeing-certificate-error- – dave_thompson_085 Nov 13 '16 at 12:24
  • Thank you for those links they were very useful. Sadly I cannot upvote you but it explains why exactly I was experiencing this problem. – Jono_2007 Nov 17 '16 at 22:51

1 Answers1

0

Looks like your www.example.co.uk:443 virtualhost doesn't enable SSL, nor load your certificate, key and chain of trust.

SYN
  • 1,751
  • 9
  • 14
  • Ok, I thought the redirect would have sufficed as to enable the SSL, I'll give that a go thanks – Jono_2007 Nov 13 '16 at 00:23
  • I've tried as you have suggested but had no luck. I've amended my question with an edit – Jono_2007 Nov 13 '16 at 00:29
  • How are you testing/what is it your client shows?! Is there anything relevant in apache logs? – SYN Nov 13 '16 at 00:34
  • I've ended up finding the answer as a result of your answer. It seems the redirect does not work as expected. Enabling the SSL explicitly on the www.example.co.uk then led to a different type of SSL error which I didn't catch in my first response. The SSL error was that the certificate was not valid for the "www" version of the site only the "example.co.uk" version of the site. – Jono_2007 Nov 13 '16 at 00:56
  • Right! A classic .... You may be able to set a different certificate in there, although some clients (non-SNI capable) would always end up on the "first" certificate loaded (from your configuration point of view). – SYN Nov 13 '16 at 00:58
  • I've learned something today! I'm not too worried about non SNI clients luckily but with the certificate being letsencrypt I was able to reissue the certificate quite easily with both domains on there without much hassle – Jono_2007 Nov 13 '16 at 01:19