5

Like the subject says I need to rewrite https://domain.com => https://www.domain.com. But I have a wildcard SSL setup for the domain and the root domain does not match *.domain.com, thus the browser brings up an error

domain.com uses an invalid security certificate.

The certificate is only valid for *.domain.com

This is my current vhost config 

<VirtualHost 127.0.0.1:443>
        ServerAdmin user@domain.com
        DocumentRoot /usr/local/app/domain/webapps/www
        JkMount /* somestuff
        ServerName domain. com
        ServerAlias www.domain.com 
        ErrorLog logs/domain.com-error_log
        CustomLog logs/domain.com-access_log combined
        Customlog logs/domain.com-deflate_log deflate
        RewriteEngine on
        RewriteCond %{HTTP_HOST}   ^domain\.com [NC]
        RewriteRule ^/?(.*)         https://www.domain.com/$1 [L,R,NE]
        SSLEngine on
        SSLCertificateFile /etc/httpd/conf/ssl.crt/x.domain.com.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/x.domain.com.key

</VirtualHost>

I was hoping that the RewriteEngine would kick in before the SSL is loaded but doesn't work. Is this solvable without getting a new cert that is just for the root domain ?

Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151
Snorri
  • 111
  • 1
  • 3

3 Answers3

6

Unfortunately the name that the client is talking to is checked against the certificate by the client, not the server. As far as the client is concerned it is talking to domain.com not <something>.domain.com - it will be unaware of any URL rewriting that is being done at the server end.

So you will need an extra certificate for the other name to avoid certificate errors.

David Spillett
  • 22,754
  • 45
  • 67
  • This is correct. SSL negotiation will always happen first. – Sam Halicke Nov 21 '09 at 18:15
  • 2
    One could argue that it's rather "fortunate" that the client checks itself, not unfortunate. If the redirect could happen prior to SSL negotiation, traffic would obviously not be encrypted and a man in the middle could redirect the client anywhere they want to. This extra certificate usually costs money, which is unfortunate :) – Olaf Feb 20 '10 at 08:12
  • 1
    Also, you might be able to get both, the wildcard and the toplevel domain in just one certificate - see the answers to http://serverfault.com/questions/87005/can-i-buy-just-one-ssl-cert-for-a-subdomain. I've not tried that, but this way you could work with just one certificate (and on the same IP address) instead of requiring an extra IP address just for the top level address. – Olaf Feb 20 '10 at 08:15
  • I agre, but it is unfortunate for the person asking the question as it impacts what is trying to do (serve both addresses so redirection works smoothly but with one certificate). Security is a GoodThing(tm), unfortunately being secure isn't always convinient. – David Spillett Feb 20 '10 at 18:44
  • I was looking for this answer everywhere. I'd assumed as much, but wanted to be sure. Thanks. +1 – Andrew Ensley May 20 '11 at 21:53
0

It looks like the DigiCert SSL Plus will do this for you.

With DigiCert's innovative use of Subject Alternative Names, your DigiCert SSL Plus certificate will secure both www.example.com and example.com (with and without the www!), leaving less potential for browser warnings.

Kevin Hakanson
  • 123
  • 2
  • 11
  • The word "innovative" doesn't fit here as multi-name certificates are part of the standard - you just usually get charged more for having such a certificate signed just as you do for wildcard certificates, and not all CAs offer them as a product. They work the same way: the browser connects to what it thinks is www.domain.tld or domain.tld and gets a cert back that is valid for both and it is happy (in the case of a wildcard cert it would be presented with one that is valid for .domain.tld – David Spillett May 21 '11 at 01:35
0

The host headers are (normally) not visible without terminating the SSL connection, so the certificate needs to be valid for whatever the client is entering... you could rewrite http://domain.com to https://www.domain.com though (why the heck did the comment code remove the www. when it made the examples into an url for? ^^)

Oskar Duveborn
  • 10,760
  • 3
  • 33
  • 48