Redirect https traffic from old domain to new domain internally

We are in the process of moving from a .org address to a new .gov address. I have a WAF that handles all of the external redirects without an issue.

We setup the redirect internally, and that is working as expected for the http traffic. The https traffic is obviously not working correctly.

Do I simply need a certificate to redirect all of our internal https traffic to the new domain?

Why not? For me it's not so obvious to be honest.

4 Likes

I must have asked this incorrectly. We moved from tmlhb.org to txhb.gov. There is no longer a valid certificate for the tmlhb.org domain. Our internet traffic works correctly, as the WAF handles the redirect. Do we just need a 2nd certificate for tmlhb.org to work correctly for the https traffic on our internal network?

I can see a perfectly fine certificate issued 19 June for tmlhb.org and www.tmlhb.org on those sites?

You're not providing us with much information I'm afraid to say. Please provide exact the exact steps which resulted in an error/warning/issue and please also provide what the exact error/warning/issue was/is. If necessary with screenshots.

3 Likes

When a user is connected to the VPN and they click on a link to https://www.tmlhealthbenefits.org they see the error message - Your connection isn't private. It will work fine if you are not connected to my VPN. If you type tmlhealthbenefits.org if your browser, it should automatically redirect you to txhb.gov.

When they are connected to the VPN, if they type http://www.tmlhealthbenefits.org it will automatically redirect (per the rule I wrote in IIS) to https://www.txhb.gov.

But if they type https://www.tmlhealthbenefits.org it causes the certificate error. Do I simply need a certificate for tmlhealthbenefits.org?

You already have one covering tmlhealthbenefits.org and www.tmlhealthbenefits.org. At least, from the public internet.

How VPN comes into play, I dunno, I cannot test that obviously.

It does not, your firewall is geoblocking me. Note that geoblocking is a common cause for failure to issue Let's Encrypt certificates when using the http-01 or tls-alpn-01 challenges.

2 Likes

@JamieB I don't see the same problem as you describe. But, as @Osiris noted, I can't test the VPN but I am not geo-blocked (my server is in US)

curl -I http://www.tmlhealthbenefits.org
HTTP/1.0 302 Redirect
Connection: Close
Location: https://www.tmlhealthbenefits.org/

This works fine and uses the cert for this domain from Jun30
curl -I https://www.tmlhealthbenefits.org
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-length: 0
Connection: Close
Location: https://www.txhb.gov/

curl -I https://www.txhb.gov/
HTTP/1.1 200 OK
Set-Cookie: ASP.NET_SessionId=t0rfqgfxf3lmwvq1avxjaeud; path=/; HttpOnly; SameSite=Lax
4 Likes

Is there a link or how do I request a certificate via Let's Encrypt? It is working as expected outside of our office and I need to request a certificate so that I can do the redirect for the internal side of the https traffic. Thanks for the responses.

1 Like

Do you host your outside content from a server within your site?

3 Likes

The server is local on our network.

Then I'm confused on how it provides different results.
Where:

  • outside users see one thing [correct]
  • inside users see another thing [incorrect]
3 Likes

The firewall is probably terminating the TLS connection, as I can see the geoblock error through a perfectly fine and secure TLS connection :wink:

2 Likes

Maybe this message will help. This is on a server within our network. If not, where do I request a certificate at?

You have a perfectly good cert issued just a few days ago for that domain (link here)

It looks like your server, when accessed internally, doesn't use it.

Instead, your request to tmlhealthbenefits.org is getting handled by a cert using a wildcard cert. Note the *.txhb.gov in the error message. The only wildcard cert I see for that name is from GoDaddy issued Jun13. Unless you got one just now from Let's Encrypt which hasn't shown in the logs yet.

Does your local DNS resolve tmlhealthbenefits.org to the correct server IP? What server is using the GoDaddy wildcard *.txhb.gov cert? How do requests even end up there?

5 Likes

I agree. I am thinking I need one more certificate to handle the https traffic to tmlhealthbenefits.org. The certificate it was using got moved to handle txhb.gov. The guy that did that is out of the office, but I can get details on Wednesday, 7/5. But I am thinking if I can get a certificate from Let's Encrypt, then that would resolve the issue for me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.