0

I'm having a hell of a time getting an SSL certificate working with Apache running on CentOS. This is my first time trying to get SSL working so I need a bit of help. I've done alot of reading and experimenting and trying different solutions but I'm stuck

I've got a domain, and an SSL cert for that domain from GoDaddy. I believe the cert is installed correctly now after some trial and error, but when I navigate to my domain I get errors on both Chrome and Firefox. The strange thing is they give me different errors.

To be clear, I am navigating to www.mydomain.ca.

Chrome gives a "ERR_CERT_COMMON_NAME_INVALID" error. Firefox gives a "SSL_ERROR_BAD_CERT_DOMAIN" error.

enter image description here

I'm not sure about the common name problem, but I'm pretty sure the bad_cert_domain is happening because httpd is not replacing the IP address in the address bar with the domain name. I think this is a rewrite rule. I've added this to the end of my httpd.conf file. I can include more of the file if that's helpful. I dont really understand rewrite rules very well and lifted this from a tutorial. I've tried a number of different versions of this, including having a separate sites-available folder with conf files there but the result is the same.

<VirtualHost *:443>
    ServerName www.MYDOMAIN.ca
    ServerAlias MYDOMAIN.ca
    DocumentRoot /var/www/html/
    RewriteEngine On
    RewriteCond %(HTTP_HOST) !^MYDOMAIN.ca$
    RewriteRule /.* https://MYDOMAIN.ca/ [R]
</VirtualHost>

My question is, why is httpd not replacing the IP address with the domain name, and why is Chrome reporting a Common Name error?

Thanks

Michael
  • 105
  • 2
  • 8
  • Possible duplicate of [Is it possible to redirect an https connection before SSL is checked using haproxy?](https://serverfault.com/questions/800998), [Redirecting SSL without raising an alert](https://serverfault.com/questions/367818/) and [many many others](https://serverfault.com/search?q=is%3Aquestion+redirect+https+certificate+error). In short: You cannot redirect from `https://ip-address` without certificate errors if the certificate does not contain `ip-address` as subject, which it does not. – Steffen Ullrich Sep 19 '17 at 04:13
  • @SteffenUllrich Is what I'm doing redirecting thought? When I navigate to www.mydomain.ca, that domain is set up to link to the IP address of my server. How is this any different from what any other website does? – Michael Sep 19 '17 at 05:53
  • 1
    According to your screen shots you are accessing `https://ip-address` not `https://domain-name`. Thus, the browser will compare `ip-address` with the subject of the certificate and complain inside the TLS handshake before having a chance to send the HTTP request to the server and getting the redirect from it. It does not matter that the domain would ultimately resolve to the same IP address - what matters is the name in the URL and not what name/IP it resolves too. – Steffen Ullrich Sep 19 '17 at 06:12
  • @SteffenUllrich I see what you're saying. Ok that is my mistake and I apologise. I should have specifically stated that I am navigating to www.mydomain.ca. When I navigate to www.mydomain.ca, I am forwarded to my server, and the address bar is being replaced with the IP address. – Michael Sep 19 '17 at 06:18
  • In this case it is probably a wrong configuration somewhere outside the configuration you have shown. It might be more useful to know every step then, i.e. and which URL you start, where do you get redirected etc. And please include the real URL so that others can reproduce your problem. Also, update the question and don't include essential information only in the comments. – Steffen Ullrich Sep 19 '17 at 06:21
  • @SteffenUllrich I was updating the question when you posted your comment. Unfortunately the IP address is on a private network and only accessible on a VPN, so you wont be able to reproduce it. Apache on CentOS has a p pretty simple configuration. What files would be valuable? I can post the entire httpd.conf and ssl.conf – Michael Sep 19 '17 at 06:25
  • First one needs to know which redirects are done in the browser, i.e. where you start, where you get redirect to etc and where you end up finally (at the URL with IP address). This should be visible from the developer tools in the browser. – Steffen Ullrich Sep 19 '17 at 07:22

1 Answers1

0

Found my answer. The problem is my domain was registered with Google Domains and I unknowingly set the domain to "forward" to my web server IP. When pinging or doing a DNS lookup of the domain, I would get the Google Hosting Service IP address, rather than mine. So Steffen was correct that I was performing a redirect, I just didnt know about it.

To fix this I turned off the forward option, and created an A Record in the DNS settings. Works perfectly now. mydomain.ca redirects to the http version of my site and https://mydomain.ca redirects to the HTTPS version without any SSL errors.

Michael
  • 105
  • 2
  • 8