0

I migrated a site from oldsite.example to newsite.example.

HTTPS was enforced all over, so most incoming links to oldsite are going to https://www.oldsite.example.

My oldsite.example domain used to point to a host which had a certificate for it. However, the domain now redirects to newsite.example, and the host contains a certificate for that instead.

So people using direct links like https://www.oldsite.example/anything receive a SSL_ERROR_BAD_CERT_DOMAIN error.

My question is the following : how do I certify a domain that doesn't have any hosting attached to it ?

Further info :

  • My domain name provider is OVH, the redirection is setup there

  • My host is PythonAnywhere

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
Brachamul
  • 101
  • 1
  • What is the exact setup you are using to serve redirects to the new version? – Tero Kilkanen Jul 10 '18 at 20:16
  • I'm using the DNS zone interface of my internet provider, I have the following entry : `60 IN TXT "4|https://newsite.fr` – Brachamul Jul 10 '18 at 22:27
  • 2
    That is quite an ugly hack from OVH. It obfuscates the fact that HTTP redirects are not made via DNS. While it might be convenient to use, it really confuses things, especially with `https`. – Tero Kilkanen Jul 11 '18 at 18:19

2 Answers2

0

I have no idea what your question is supposed to mean. There is no such thing as "certify a domain that doesn't have a host attached to it".

But you actually solve the problem by installing a TLS certificate for the old domain.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Sorry for the confusion, which probably only reflects my own confusion. When I read the intro from the Let's Encrypt site, they say `With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host`. But if the domain is used for redirection only, there is no host on it, correct ? So there's no way to certify the domain ? I need to have hosting enabled on this domain to get a certificate working ? – Brachamul Jul 10 '18 at 14:49
  • 2
    You're still not making much sense. If you are serving redirects, then you are already hosting the domain. Let's Encrypt works fine for such a domain. – Michael Hampton Jul 10 '18 at 14:58
  • The redirects are setup through the host, via the DNS zone, so I didn't have any hosting with that domain. I was able to set hosting up and add my certificate for free though, so my issue is fixed. – Brachamul Jul 10 '18 at 22:25
  • 1
    @Brachamul The ACME protocol is what you used (or others on your behalf) to request a new certificate from Let's Encrypt. This is a pure management protocol, once the certificate is delivered you use the certificate without any reference to this protocol (except in the remote sense that before 90 days you will need to renew it and hence using ACME again). You can validate (not certify) the domain with 3 different challenges to finally acquire the certificate; one of them uses only the DNS and does not need a webserver responding to queries on port 80 or 443 at all. – Patrick Mevzek Jul 13 '18 at 00:07
0

After further research, trial and error, I found out that two good solutions can be :

  • Setting up a host for my domain, which requires the redirection to the new domain to be done via .htaccess rather than via DNS.

  • Validating the domain with a DNS challenge : How to use Let's Encrypt DNS challenge validation?, thanks @Patrick Mevzek for pointing that out for me

Brachamul
  • 101
  • 1