0

I have two domains : my-domain.com and my-domain.fr

I want to redirect traffic as followed :

  • my-domain.com:80 -> my-domain.com:443
  • my-domain.fr:80 -> my-domain.com:443
  • my-domain.fr:443 -> my-domain.com:443

I've chosen to only use .com, am I right ? I guess yes. Because I only have to manage one certificate : the .COM one.

My /etc/apache2/sites-available/default :

NameVirtualHost *:80

<VirtualHost *:80>
   ServerName www.my-domain.com
   ServerAlias my-domain.com
   Redirect permanent / https://www.my-domain.com
</VirtualHost>

<VirtualHost *:80>
   ServerName www.my-domain.fr
   ServerAlias my-domain.fr
   Redirect permanent / https://www.my-domain.com
</VirtualHost>

My /etc/apache2/sites-available/default-ssl :

NameVirtualHost *:443

<VirtualHost *:443>
   ServerName www.my-domain.com
   ServerAlias my-domain.com
   DocumentRoot /var/www/my-domain/
   ErrorLog /var/log/my-domain/my-domain.com.error.log
   CustomLog /var/log/my-domain/my-domain.com.access.log combined

   GnuTLSEnable on
   GnuTLSPriorities NORMAL
   GnuTLSExportCertificates on
   GnuTLSCertificateFile /etc/apache2/ssl/certs/my-domain.com.crt
   GnuTLSKeyFile /etc/apache2/ssl/private/my-domain.com.key
</VirtualHost>

<VirtualHost *:443>
   ServerName www.my-domain.fr
   ServerAlias my-domain.fr
   DocumentRoot /var/www/my-domain/
   ErrorLog /var/log/my-domain/my-domain.fr.error.log
   CustomLog /var/log/my-domain/my-domain.fr.access.log combined

   GnuTLSEnable on
   GnuTLSPriorities NORMAL
   GnuTLSExportCertificates on
   GnuTLSCertificateFile /etc/apache2/ssl/certs/my-domain.fr.crt
   GnuTLSKeyFile /etc/apache2/ssl/private/my-domain.fr.key
</VirtualHost>

But I'm getting a SSL certificate error when I'm going to my-domain.fr because it tells me that I wanted to go on my-domain.fr and I'm not.

fallais
  • 216
  • 2
  • 10
  • You need openssl-1.x for this to work - SNI. – Marcel Feb 18 '14 at 17:46
  • `But I'm getting a SSL certificate error when I'm going to my-domain.fr ` - Can you be more specific about what exactly you are doing to trigger this error? Are you opening `http://my-domain.fr` and getting redirected incorrectly to `https://my-domain.fr`? Or are you somehow expecting `https://my-domain.fr` to work? – Zoredache Feb 18 '14 at 18:37
  • I'm well redirected to https://my-domain.com then a certificate error appears because I asked for my-domain.fr. I'll take a look to everything that has been explained to me and then come back to validate. Things become clearer. Thanks. – fallais Feb 18 '14 at 18:40

2 Answers2

3

I'm afraid you've misunderstand the order in which things happen. The SSL connection is established first, and only once that is done will the HTTP request be passed to the server and get a redirect in response.

If it were possible to do the redirect to a different domain before checking the server's SSL certificate, it would be very easy to send any visitor on to any random domain. Just imagine what this could do to an online banking site, if a simple man in the middle attack could redirect a user to a different site without even an SSL warning...

The easiest solution here is that you get a certificate with Subject Alternative Names and you list all the domains that you want to use the certificate for. That way you will still only have one certificate to keep updated, but it will work for all your domains.

Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • I want the COM domain to be the only used. I want FR, ES, UK, etc.. to only lead the user to the COM domain. What are the best practices to do this ? (my-domain.com/fr, fr.my-domain.com, etc.. ? And how to implement it). Thanks. – fallais Feb 19 '14 at 11:46
  • @Elwyn You must also have a certificate for `my-domain.fr`. – Michael Hampton Feb 19 '14 at 11:59
  • @MichaelHampton : I have it, as you can see it in my conf upper. – fallais Feb 19 '14 at 12:14
  • @Elwyn OK, then your question is not clear. You should expand it to state exactly what the certificate error was, or possibly provide your real domain names. – Michael Hampton Feb 19 '14 at 12:16
  • @MichaelHampton : There was an understanding. I want my users that ask for my-domain.fr to be redirected to my-domain.com, for HTTP and HTTPS. The way I do it is wrong. I now want to know what are the best practices to do it well. – fallais Feb 19 '14 at 13:07
  • @Elwyn Your redirects appear fine, at least the ones you actually wrote. You're missing one in your www.mydonaim.fr 443 virtual host. – Michael Hampton Feb 19 '14 at 15:21
2

Your webserver don't know the domain requested when you're in HTTPS, so it will always request the first *:443 virtualhost you have configured. You need openssl-1.x for SNI to work.

Marcel
  • 1,575
  • 8
  • 14
  • Just to be sure. When I ask for **my-domain.fr** (http or https), I want to be redirected to **my-domain.com** (https). – fallais Feb 18 '14 at 18:49
  • your question was about certificate error SSL warnings, not about redirection. Isn't your redirection rules working? What is wrong now? – Marcel Feb 18 '14 at 20:15
  • It is a SSL certificate error that I have. But it is due to a redirection error you might be right. I want to be redirected from **FR** to **COM**, is my configuration good ? – fallais Feb 19 '14 at 09:18
  • As I said, you cannot have `VirtualHosts` on `*:443` without SNI, and expect it to work. SNI within apache is only doable with `openssl-1.X`, check your openssl version. – Marcel Feb 19 '14 at 14:07
  • Please look [THIS](http://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port) – Marcel Feb 19 '14 at 14:09
  • There was an understanding. I want the users that ask for my-domain.fr to be redirected to my-domain.com, for HTTP and HTTPS. The way I do it is wrong. I now want to know what are the best practices to do it well please. – fallais Feb 19 '14 at 14:53