Old domain can still access server's content,even when freeSSL certificate has been modified to a new domain


#1

My domain is: www.folkcam.com(old),v.jernal.com(new)

I ran this command: enter www.folkcam.com in website

It produced this output:it would occur an warning,but it can still access my server’s content , even though my freeSSL certificate has been modified to v.jernal.com and only v.jernal.com.

My web server is (include version): apache-tomcat8

The operating system my web server runs on is (include version):Amazon Linux

I can login to a root shell on my machine (yes or no, or I don’t know):yes


#2

Hi @oneofusers,

In the certificate system, new certificates never invalidate old certificates. The certificate says that a certain encryption key is valid with a particular domain, which doesn’t mean that other keys are not valid or that other servers are not also used by that domain. When you change the domain coverage of a certificate, you’re really asking the certificate authority to issue a new certificate, which doesn’t invalidate or alter the old one—assuming that the old one continues to be used by a server somewhere.

Certificates also don’t control, or even affect, site content. Whether or not you have a certificate, and regardless of what the certificate says, a web server can serve (or not serve) any content.

If you want to shut down the old site, or make the old site redirect visitors to the new site, you’ll need to update your web server (apparently hosted by Amazon AWS, although maybe you have a different provider who rents servers from Amazon), or your DNS records (apparently hosted by GoDaddy). The behavior of the web server at AWS and the DNS records published by GoDaddy together control what visitors to your site see, or which server their browsers contact when trying to visit your site.


#3

Hi schoen,

Thanks for sharing so many details . If I just want to allow visitors who use v.jernal.com to access my website , and the others who don’t use v.jernal.com would not access , in this case , how do you suggest me to do ? If someone else uses my server ip to bind his own domains , how can I prevent the visitors from his domain to access my website ?


#4

The problem is in the Apache configuration.
Apache is notorious for running at all cost.
In this case, it seems that there is no “default” site and all TLS/SSL connections that are not reaching a defined virtual host (ServerName) are being directed to the v.jernal.com virtual host config.
Even http://your.ip/ (after forwarding to https and giving the security warning) displays the v.jernal.com site.

So change the config to include a default virtual host config (ServerName _) and deal with those unwanted connections whichever way you want.
[you may need to include http and https virtual hosts to cover all possible misdirected connections]


#5

yeah, I just configured server.xml, it works fine now !


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.