SSL Certificate, Redirect, No-www Configuration in Apache

MY GOAL

I would like to make a website accessible only via SSL (encrypted) and with many domains redirecting to only one master domain (no duplicate content) and all www variants should be no-www.

The website is hosted by an apache server and configured as a virtual host.

I would like to have the redirections like follows:

http://example.com -> https://example.com

http://www.example.com -> https://example.com

https://www.example.com -> https://example.com

http://example.de -> https://example.com

http://www.example.de -> https://example.com

https://example.de -> https://example.com

https://www.example.de -> https://example.com

[…]

THE ERROR / PROBLEM

My problem is that certain requests (like https://www.example.de) are redirected to https://example.com but e.g. firefox says the connection is not secure (SSL_ERROR_BAD_CERT_DOMAIN). Some others work.

My vhost config looks like this:

<VirtualHost *:80>
  ServerName www.example.com
  ServerAlias example.com www.example.de example.de
  RedirectMatch 301 (.*) https://example.com$1
</VirtualHost>

<VirtualHost *:443>
  ServerName www.example.com
  ServerAlias www.example.de example.de
  RedirectMatch 301 (.*) https://example.com$1
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAdmin webmaster@example.com
  DocumentRoot /var/www/example
  <Directory "/var/www/example">
    AllowOverride All
    AuthType Basic
    AuthName "Example.com Temporary Preview"
    AuthUserFile /var/www/users
    Require user example-dev
  </Directory>

  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

I am using certbot for verfifying the domains and obtaining the ssl-certificate from letsencrypt like this:

sudo certbot --authenticator webroot --installer apache certonly

then selecting all the domains (which the apache installer guesses perfectly), specifying the webroot for the authentication process in the interactiv cli installer.

(Before the certbot process I use another vhost config for that domain, using only Port 80 to let the authentication process work)

MY QUESTION / MISCONCEPTION

I understand my apache vhost configuration like this:

catch all http requests (all domains, with and without www) and redirect them to https://example.com
catch all https requests (all domains except example.com, with and without www and redirect them to https://example.com
finally catch https requests for example.com and serve the DocumentRoot with all the config as told in that third VirtualHost Block.

Why is the browser complaining in some cases, that the certificate is not valid for the given domain?
Is there a better/easier way to achieve what I want? Am I misunderstanding concepts of Apache-Redirections in that circumstance (SSL, no-www, letsencrypt)? Am I missing some part while using the certbot command?

Best Answer

Are you obtaining certificate for example.de? Even if you are doing a 301 redirect, browser first requests SSL for the domain which is redirected to another domain example: https://www.example.de is redirected to https://example.com.

So domain (https://www.example.de) must also have a valid SSL as it is requested first by browser. This would not be a case if you redirect non SSL http://www.example.de to https://example.com.

So make sure you issue SSL certificate for all SSL domains. Test those domains without redirection, and then implement your redirections.

Best Answer

Related Solutions

Ssl – the ssl certificate only work with ‘www.example.com’ and not with ‘example.com’

Redirecting www to non-www (apache, letsencrypt )

Related Topic