I have cca 10 domains sharing one self-signed SSL certificate. This morning I decided to create virtualhost with non shared certificate, signed by CA. As everybody knows, the only way(s) is to assing private IP or run HTTPS on a different port. The different port was a way I decided to try…
So I set port 444 instead of 443, I got free signed certificate and installed via Virtualmin’s enviroment ‘Manage SSL Certificate’. Everything is fine and working well. My URL https://www.example.com:444 reports signed and verified certificate. But…
The problem I want solve is, when somebody try https://www.example.com (without specified port), he is transffered to the first SSL enabled virtualhost with self-signed cert which means in some browsers ‘red error’ He is still on domain https://www.example.com, but he views the content of the other virtualhost. So my first idea (and I guess yours too) is simply redirect all request @https://www.example.com TO https://www.example.com:444 – seems like a easy job :-), but…
I didn’t figured out, how to get this work properly, so I want to ask you, please, don’t you know how to?
I TRIED:
Adding virtualhost listening on 443 to apache conf of this new virtual, and via RewriteRules redirect all requests to URL with :444 port. It ‘works’ at half, because the browser first asks on self-signed cert = error. No clean way.
Adding redirect rules to the first SSL enabled virtualhost, this works the same way like the 1)
I have some suspicion that this might solve some proxying, but I have absolutely no skills with it, so thanks for any help.
(+little question for the end, is somehow available to show https://example.com:444 content without being port visible?)
Yeah, the problem is that using an alternate port for SSL isn’t the best way to handle that, using a dedicated IP is the best way to provide SSL for a domain.
The trouble is that the SSL connection is negotiated before any content or configuration is read – so it’s not actually possible to solve the problem you’re describing.
That is, if someone connects to https://example.com, you could add in a .htaccess file or similar to redirect the user to port 444, but they will always receive an SSL warning before that redirect occurs.
Now, you could add a redirect so that someone connecting to port 80 for that domain is redirected to port 444, but it’s not possible to do that with port 443 in a way that prevents a warning from popping up.
My suggestion would be to splurge on a new IP address for this particular domain, that would solve all the problems you’re describing above
every other virtual, where we want SSL and we have no private IP available, we set some unique port for SSL
This I guess can work without any errors. But the point still is: is there any other way, how to redirect the https request before it gets on the apache conf?
Another thing that should be considered: Is better to have self-signed HTTPS on the default port 443, or have signed by CA on non-standard port? (I suppose the unavailability of IP addresses) What is more secure (no matter how difficult setting is)?
“As everybody knows, the only way(s) is to assing private IP or run HTTPS on a different port.”
this is not correct. Newer version of apache come with mod_ssl version that supports SNI (“name-based SSL”), which works pretty much with all modern browsers. Maybe sufficient in your case?