How redirect Apache HTTPS subdomain to main domain

danjde · June 10, 2020, 12:15pm

Hi Friends!
I would like to redirect https://www.sub.example.com to https://www.example.com

For non https, no one issue, but trying to redirect HTTPS subdomain encounter difficulties.

I’ve a Letsencrypt certifcate, only for “https://www.example.com” and I would not to request a new one for the subdomain too.

I’ve create a new one Apache virtualhost:

<VirtualHost *:80>
    ServerName www.sub.example.com
    Redirect permanent / http://www.example.com
</VirtualHost>

and this works fine, but adding on the same virtualhost the 443 directive it doesn’t work:

<VirtualHost *:443>
   ServerName www.sub.example.com
    Redirect permanent / http://www.example.com
   SSLEngine On
</VirtualHost>

obtaining an SSL warning: “This site is insecure…”
How could I get around the obstacle?

Many many thanks!

Davide

rg305 · June 10, 2020, 12:30pm

Apache is notorious for running at all cost.
Which may mean that even thou it is running, the config may not be doing exactly what you think it is or what you want it to do.
I don't see anything particularly wrong with the code you have shown.
I think the problem is elsewhere within your code (where we haven't been shown).
What does this show?:
apachectl -S

Note: I'm presuming that you did use, but intentionally left out the lines in your example post with,
SSLCertificateFile and SSLCertificateKeyFile

danjde · June 10, 2020, 1:13pm

VirtualHost configuration:
*:80                   is a NameVirtualHost
         port 80 namevhost bottarisistemi.it (/etc/apache2/sites-enabled/bottarisistemi.it.conf:1)
                 alias www.bottarisistemi.it
         port 80 namevhost www.sio4.bottarisistemi.it (/etc/apache2/sites-enabled/sio4.bottarisistemi.it.conf:1)
*:443                  is a NameVirtualHost
         port 443 namevhost bottarisistemi.it (/etc/apache2/sites-enabled/bottarisistemi.it.conf:33)
                 alias www.bottarisistemi.it
         port 443 namevhost www.sio4.bottarisistemi.it (/etc/apache2/sites-enabled/sio4.bottarisistemi.it.conf:6)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

And here if I go to www.sio4.bottarisistemi.it all works fine, but going to https://www.sio4.bottarisistemi.it (forcing https into the address bar) obtain a certificate error, that I think correct, but I'm wondering if it is possible to perform a redirect of this (or other) kind, avoiding to request an additional certificate..

Sure, but the certificate does not include www.sio4.bottarisistemi.it or sio4.bottarisistemi.it, is there any way around this?

many thanks!

Davide

rg305 · June 10, 2020, 1:18pm

There is a redirect back to HTTP:

curl -Iki https://www.sio4.bottarisistemi.it/
HTTP/1.1 301 Moved Permanently
Date: Wed, 10 Jun 2020 13:17:48 GMT
Server: Apache/2.4.38 (Debian)
Location: http://www.bottarisistemi.it/
Content-Type: text/html; charset=iso-8859-1

We need to see this file:
/etc/apache2/sites-enabled/sio4.bottarisistemi.it.conf

rg305 · June 10, 2020, 1:20pm

There is no way to accept (and create a valid) an HTTPS connection to a name that doesn't have a cert that matches the name requested.
The only "way around" is to NOT use HTTPS to that name or get a cert for that name to use.

danjde · June 10, 2020, 1:36pm

<VirtualHost *:80>
    ServerName www.sio4.bottarisistemi.it
    Redirect permanent / http://www.bottarisistemi.it/
</VirtualHost>

<VirtualHost *:443>
    ServerName www.sio4.bottarisistemi.it
    Redirect permanent / http://www.bottarisistemi.it/
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/server3.sio4.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/server3.sio4.org/privkey.pem
#   RewriteEngine On
#   RewriteCond %{HTTP_HOST} ^(.+)\sio4.bottarisistemi\.it$ [NC]
#   RewriteRule (.*) http://bottarisistemi.it/$1 [L,R=301,QSA]
</VirtualHost>

Ah, you confirm that it is not possible then!
So I must request another one certificate...

Thanks again!

danjde · June 10, 2020, 1:44pm

Well, requesting a new certificate, all works fine!
But my curiosity was “only didactic”, to understand if it was possible by bypassing the new one certificate request.

Many thanks!

Davide

system · July 10, 2020, 1:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.