0

Currently users, going to our www URL get SSL errors, ie "the certificate for this website is invalid". This is because we only have one cert, which is configured for the non-WWW URL: mysite.co

We want requests for either 

http://www.mysite.co   
https://www.mysite.co

to go to 

https://mysite.co

The reverse is acceptable, since our motivation is to minimize costs by paying for only one cert, either www or without www. I did read another post, saying SSL negotiation happens before any response from the server (in our case redirection), so visitors will receive a warning when using a domain that is not in our common name. However, I modified DNS to include a CNAME so that all www.mysite.co traffic redirects to mysite.co and we still see the error in Firefox and Safari

We use Ubuntu with the following mod_rewrite

1) in /etc/apache2/sites-available/mysite-ssl

<VirtualHost *:443>
        RewriteEngine on
        RewriteCond %{HTTP_HOST} www.mysite.com  [NC]
        RewriteRule ^(.*)$ https://mysite.com/$1 [R=permanent,L,NC]
        ServerAdmin admin@mysite
        ServerName mysite
        ServerAlias www.mysite

        ... other stuff ... 

</VirtualHost>

2) in /etc/apache2/sites-available/mysite

<VirtualHost *:80>
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

Interestingly, Chrome says everything fine when going to WWW.mysite.co (both http and https)

However BOTH Firefox and Safari complain of a hostname mismatch (cannot verify identity)

Community
  • 1
  • 1
Sofkor
  • 1
  • 2
  • possible duplicate of [single cert for two alias name](http://stackoverflow.com/questions/14984019/single-cert-for-two-alias-name) – Bruno Jul 12 '13 at 10:56
  • I'd check that your cert has two Subject Alternative Name entries: with and without www. – Bruno Jul 12 '13 at 10:56
  • thank you Bruno... noob poster on StackExchange so just seeing your comments now – Sofkor Jul 15 '13 at 08:17

1 Answers1

0

So after more reading & research, the above rules work for redirecting traffic from www.site.co to site.co

However, the only way to have two or more URL's secured with one SSL Certificate is to purchase either:

  1. a Wildcard SSL Certificate, which covers *.site.co .. these do not need to be defined at purchase time

  2. an SSL Cert with one or more Subject Alternative Names (SANs) that cover www.site.co .. mail.site.co .. etc. These need to be defined when you purchase the Cert, specifying each SAN

Sofkor
  • 1
  • 2
  • Actually, wildcard certs on their own don't necessarily work. `*.site.co` doesn't cover `site.co` (the dot isn't ignored). Most wildcard certs work because they have a SAN for `*.site.co` and `site.co` as part of the same package, but it's not the wildcard that's relevant here. – Bruno Jul 15 '13 at 08:33