MY GOAL
I would like to make a website accessible only via SSL (encrypted) and with many domains redirecting to only one master domain (no duplicate content) and all www variants should be no-www.
The website is hosted by an apache server and configured as a virtual host.
I would like to have the redirections like follows:
http://example.com -> https://example.com
http://www.example.com -> https://example.com
https://www.example.com -> https://example.com
http://example.de -> https://example.com
http://www.example.de -> https://example.com
https://example.de -> https://example.com
https://www.example.de -> https://example.com
[…]
THE ERROR / PROBLEM
My problem is that certain requests (like https://www.example.de
) are redirected to https://example.com
but e.g. firefox says the connection is not secure (SSL_ERROR_BAD_CERT_DOMAIN
). Some others work.
My vhost config looks like this:
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com www.example.de example.de
RedirectMatch 301 (.*) https://example.com$1
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com
ServerAlias www.example.de example.de
RedirectMatch 301 (.*) https://example.com$1
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAdmin webmaster@example.com
DocumentRoot /var/www/example
<Directory "/var/www/example">
AllowOverride All
AuthType Basic
AuthName "Example.com Temporary Preview"
AuthUserFile /var/www/users
Require user example-dev
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
I am using certbot
for verfifying the domains and obtaining the ssl-certificate from letsencrypt like this:
sudo certbot --authenticator webroot --installer apache certonly
then selecting all the domains (which the apache installer guesses perfectly), specifying the webroot for the authentication process in the interactiv cli installer.
(Before the certbot process I use another vhost config for that domain, using only Port 80 to let the authentication process work)
MY QUESTION / MISCONCEPTION
I understand my apache vhost configuration like this:
-
catch all http requests (all domains, with and without www) and redirect them to
https://example.com
-
catch all https requests (all domains except
example.com
, with and without www and redirect them tohttps://example.com
-
finally catch https requests for
example.com
and serve the DocumentRoot with all the config as told in that third VirtualHost Block.
-
Why is the browser complaining in some cases, that the certificate is not valid for the given domain?
-
Is there a better/easier way to achieve what I want? Am I misunderstanding concepts of Apache-Redirections in that circumstance (SSL, no-www, letsencrypt)? Am I missing some part while using the
certbot
command?
Best Answer
Are you obtaining certificate for example.de? Even if you are doing a 301 redirect, browser first requests SSL for the domain which is redirected to another domain example: https://www.example.de is redirected to https://example.com.
So domain (https://www.example.de) must also have a valid SSL as it is requested first by browser. This would not be a case if you redirect non SSL http://www.example.de to https://example.com.
So make sure you issue SSL certificate for all SSL domains. Test those domains without redirection, and then implement your redirections.