let's encrypt or SSL on rewritten domain

Question

I'm using Centos 7 with Plesk (1and1 dedicated server) and Apache and we want to secure all our website with let's encrypt where possible, though we have a problem with 2 domain that has been rewritten with Apache rules.

here the code we use to rewrite the domain:

ServerAlias www.traffweb.portsmouth.gov.uk traffweb.portsmouth.gov.uk
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(w{3}\.)?portsmouthtraffweb\.uk [NC]
RewriteRule (.*) http://www.traffweb.portsmouth.gov.uk/$1 [R=301,L]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

and then

/usr/local/psa/admin/sbin/httpdmng --reconfigure-domain portsmouthtraffweb.uk

not really sure if the last command is necessary, I think that the last time I just insert the apache rules and that's it.

In our server we have (and we own) portsmouthtraffweb.uk while traffweb.portsmouth.gov.uk it's own by the client, this subdomain doesn't exist anywhere, it's been redirect on the DNS with an A Record to point to our server IP.

Basically in the server exist portsmouthtraffweb.uk and if enter traffic requests for traffweb.portsmouth.gov.uk it redirect to use the directory of portsmouthtraffweb.uk

I tried to use Let's encrypt in Plesk but when I applied the certificate the rewritten rule is being ignore and the URL displayed is the one on the server not the one we want to display.

How can I secure those domains? A part from me that I use both domain to see the website, everyone else will use just the correct URL traffweb.portsmouth.gov.uk as it will be publicise with this DOMAIN NAME.

I don't mind to do some code on the server as we own the servers so I can connect as a root and as you can see this command was done on the server and not through Plesk, sometimes I just prefer do thing in Plesk because it require less time.

Answer 1

Hey @Sebastiano :wave:

You actually cannot get a cert for a domain you don't control legitimately. I think this might be the problem.

Are you sure they are using an A record (points to IP address) and not a AAAA record or most likely CNAME record or other redirect mechanism?

It would be the .gov.uk administrator job to get a cert for their side if they control the domain. You can use services like https://www.whatsmydns.net/ (google for "check DNS propagation" if that link is dead) to verify that it indeed points to your domain, or server IPs.

If it's a CNAME, then from your side it should just be porsmouthtraffweb.uk so you'd need to ensure that firstly resolves directly to the server you want an SSL for. You'd then also need a separate vhost with the same webroot. https://certbot.eff.org/all-instructions provides an exhaustive list. I use the webroot option for smaller sites, but I've been assured you can even use DNS to secure SSL certificates (so long as you control the DNS).

Here is one for my local linux club which was running Apache 2.2 (since upgraded to Nginx) https://gist.github.com/Lewiscowles1986/dda7382e21a7ec66089730f7945842f0

Certificates should be stored outside of the webroot. Letsencrypt ones live under /etc/letsencrypt. You may also want to generate a dhparams.pem

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

Once that server resolves and knows portsmouthtraffweb.uk resolves to your servers, you can request a LetsEncrypt cert for that domain only. Similarly if the .gov.uk one resolves to your servers, you can request a certificate for that domain only.

I use the certbot utility, but you may find commercial providers are better suited to secure a government website.

It's Lewis Btw