httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rank1see...@gmail.com
Subject Re: [users@httpd] SSL cert for alias too
Date Fri, 17 Jul 2009 18:32:00 GMT
Igor...

You have 2 SAME rewrite rules!

Now I will translate what they mean:
IF page is requested on NON-SSL port 80 THEN rewrite url to SSL version of 
it, with www..., --> redir 301, last(stop rewriting)


NOW, do you understand that second rewrite block inside <VirtualHost 
_default_:443> will NEVER get executed.
So delete it from there

And the first rewrite rule(which is same as second), will NOT triger if you 
access by:
https://www.domain.com
https://domain.com
... and no rewriting will occur for https://domain.com
As port = 80, rule is not satisfied!

So for one of those domains, you will get SSL cert mismatch, as you can 
have cert just for one domain!



----- Original Message -----
From: Igor Cicimov <icicimov@gmail.com>
To: users@httpd.apache.org
Date: Thu, 16 Jul 2009 14:36:04 +1000
Subject: Re: [users@httpd] SSL cert for alias too

> Of course it works if you do it right.
> 
> 
> 1. Outside ssl virtual host:
> 
> RewriteEngine On
> RewriteCond %{SERVER_PORT}  ^80$
> RewriteRule ^(.*)$ https://www.domain.com$1 [R=301,L]
> 
> 
> 2. Inside the ssl virtual host:
> 
> <VirtualHost _default_:443>
> ServerName  domain.com
> ServerAlias www.domain.com
> 
> RewriteEngine On
> RewriteCond %{SERVER_PORT}  ^80$
> RewriteRule ^(.*)$ https://www.domain.com$1 [R=301,L]
> .
> .
> .
> SSLEngine on
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
> SSLCertificateFile /usr/local/apache2/conf/ssl.crt/www.domain.crt
> SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/unencrypted.key
> SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/intermediatecrt.crt
> .
> .
> .
> 
> 
> </VirtualHost>
> 
> 
> 
> It works for me for sure don't see any reason why it shouldn't work for 
you?
> 
> Cheers,
> 
> Igor
> 
> On Thu, Jul 16, 2009 at 7:00 AM, Aaron Turner <synfinatic@gmail.com> 
wrote:
> 
> > On Wed, Jul 15, 2009 at 12:34 PM, <rank1seeker@gmail.com> wrote:
> > > I did a redirect, that works both for http and https. But still...
> > > Request for domain.com just BEFORE redirect to www.domain.com,
> > > Issues warning in browser and in my apache error log I get line:
> > > [warn] RSA server certificate wildcard CommonName (CN) `*.domain.com'
> > does
> > > NOT match server name!?
> > >
> > > After AND IF client ignores warning, he gets redirecteted properly
> > >
> > > What now?
> > > SSL cert for each, as SSL wildcard doesn't work in this case.
> >
> > You need two certs.  www.domain.com and domain.com.
> >
> > Redirect won't work in this case because it is done at the HTTP layer
> > and the SSL handshake occurs before the GET request.
> >
> >
> > --
> > Aaron Turner
> > http://synfin.net/
> > http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
> > Windows
> > Those who would give up essential Liberty, to purchase a little 
temporary
> > Safety, deserve neither Liberty nor Safety.
> >    -- Benjamin Franklin
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server 
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message