Auto-renew with htaccess redirect on multidomain site


#1

Background: I’ve got a multidomain Drupal site - the same folder serves domain1.com, domain2.com and domain3.com, serving somewhat different content for each.
I can install a LE SAN cert from my host’s control panel - Cloudways/DigitalOcean - without issue, and it auto-renews without issue.
I use .htaccess to force http to https, again, without issue.

Problem: I now have an additional domain, redirect.com which I’d like to redirect to domain3.com. If I set up 301 redirect in htaccess it mostly works:
RewriteCond %{HTTP_HOST} redirect.com$
RewriteRule ^ http%{ENV:protossl}://domain3.com/ [R=301,L]
However:

  • if I try to add redirect.com to the LE SAN cert alongside domain1, domain2 and domain3, I can’t get my host’s control panel to create the cert; it fails because of the redirect and tells me to make sure my domains are properly pointed.
  • if I do NOT add redirect.com to the SAN cert, http://redirect.com redirects successfully to https://domain3.com but if a user goes to https://redirect.com, Chrome throws a certificate/security warning.

My host’s tech support tells me that it’s a known issue and that I can temporarily remove the redirect rule (temporarily serving content at redirect.com?), install the SAN cert through their control panel, then re-introduce the redirect rule.
BUT then the cert won’t auto-renew in 90 days, I need to manually repeat the process.

Question: Does anyone have an idea for a setup that allows https://redirect.com to redirect to https://domain3.com? Either on its own cert or as part of the SAN cert beside the other domains?
One idea: is there a rule I could add to htaccess to force https://redirect.com requests to http://redirect.com, then redirect via 301 to https://domain3.com, so I wouldn’t need a certificate for redirect.com? What would that look like?

Thanks! I’m a capable intermediate re: hosting/server/command line issues but a bit of a novice with certs.


#2

I would expect that trying to exclude /.well-known/acme-challenge from the redirect would work. That is, redirect everything except requests to that resource.