Ssl – Subdomain redirect to the external IP – SSL Certificate not valid

Apache2certificateredirectsslsubdomain

I am running an local Ubuntu-Server as my cloud. This machine is reachable from the outside via my routers portforwarding. This works fine (via IP). Now i created a subdomain in my existing 1und1 domain and used "domain-redirect", to redirect this subdomain xxx.mydomain.com to my external (static) ip with port, which looks like that: https://ip.ip.ip.ip:2000/nextcloud
This is also working fine (but inputs the IP in the adressbar, instead of xxx.mydomain.com), but the standard ubuntu SSL-Cert is obviously not trustworthy. Thats why i bought a cheap ssl-cert from comodo for my subdomain: xxx.mydomain.com
Then i imported the certificate to my ubuntu server (/etc/ssl/certs…) and corrected the /etc/apache2/sites-availabe/nextcloud.conf
(SSLCertificateFile and SSLCertificateKeyFile). This (after apache2 restart) lead to the browser reading the Comodo ssl certificate when browsing to xxx.mydomain.com.

Problem: The Comodo Cert is still not trusted (There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).)

Has this something to do with the redirecting process? And if yes, how can i solve it?
Or have i missed something else?

Thanks in advance!

€dit: This is the nextcloud.conf file:

Alias /nextcloud "/var/www/nextcloud/"
<VirtualHost *:443>
ServerName          cloud.myDomain.com
DocumentRoot        /var/www/nextcloud

SSLEngine               on
SSLCertificateKeyFile /etc/ssl/private/myComodo.key
SSLCertificateFile /etc/ssl/certs/myComodo.crt
SSLCertificateChainFile /etc/ssl/certs/myComodo.ca-bundle
</VirtualHost>
<Directory /var/www/nextcloud/>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud

</Directory>

Best Answer

The problem is most probably the redirect.

Let's say you use sub.domain.tld and you get a certificate for this host.

The second you redirect the visitor to 11.22.33.44 the certificate is no longer "valid", because it was setup to work for (COMMON_NAME) https://sub.domain.tld and not https://11.22.33.44.

The only real solution would be to work with A/CName records. If you do not have a static IP you could use a free dynamic dns and then setup a CNAME record.

/usr/local/etc/apache22/Includes/login.domain.com.ssl.conf

Listen 10.0.0.152:443

<VirtualHost 10.0.0.152:443>
ServerAdmin admin@domain.com
DocumentRoot /web0/cloud/login.domain.com/current
ServerName login.domain.com

ServerAlias www.login.domain.com login.domain.com


LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog /var/log/www/login.domain.com-access_log
ErrorLog /var/log/www/login.domain.com-error_log

<DIRECTORY /web0/cloud/login.domain.com/current>
Allow from All
OPTIONS Indexes Includes ExecCGI FollowSymLinks
AllowOverride ALL
</DIRECTORY>

IndexOptions FancyIndexing

AddType application/x-httpd-php .html

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/login.domain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/login.domain.com.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle"

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


</VirtualHost>

/usr/local/etc/apache22/Includes/admin.domain.com.ssl.conf

Listen 10.0.0.151:443

<VirtualHost 10.0.0.151:443>
ServerAdmin admin@domain.com
DocumentRoot /web0/cloud/admin.domain.com/current
ServerName admin.domain.com

ServerAlias www.admin.domain.com admin.domain.com

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog /var/log/www/admin.domain.com-access_log
ErrorLog /var/log/www/admin.domain.com-error_log

<DIRECTORY /web0/cloud/admin.domain.com/current>
Allow from All
OPTIONS Indexes Includes ExecCGI FollowSymLinks
AllowOverride ALL
</DIRECTORY>

IndexOptions FancyIndexing

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/admin.domain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/admin.domain.com.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle"

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


</VirtualHost>

Ssl – Wildcard SSL certificate for second-level subdomain

RFC2818 states:

If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Internet Explorer behaves in the way outlined by the RFC, where each level needs its own wildcarded certificate. Firefox is happy with a single *.domain.com where * matches anything in front of domain.com, including other.levels.domain.com, but will also handle the *.*.domain.com types as well.

So, to answer your question: it is possible, and supported by browsers.

Best Answer

Related Solutions

Ssl – RHEL/Apache ssl.conf configuration issue

/usr/local/etc/apache22/Includes/login.domain.com.ssl.conf

/usr/local/etc/apache22/Includes/admin.domain.com.ssl.conf

Ssl – Wildcard SSL certificate for second-level subdomain

Related Topic