1

After some internet searches, I've determined that the HTTP request sent before the SSL connection dictates to the browser which IP address the domain is registered against. As a result, any forced redirects will subsequently use the original certificate.

^ Is my above understanding correct? Can someone tell me exactly where this occurs in the HTTP request?

I have an Apache2 server and was forcing a 301 redirect from my old https domain to a new https domain. This caused problems no matter what settings I tried.

If I used the old certificates on the redirect: This resulted in the old certificates being used on the new domain.

If I used the new certificates on the redirect: This resulted in the new certificates being used on the old domain.

Both resulted in an SSL Security exception.

I'm using standard wildcard certificates with no SAN functionality.

For now, I've had to set up a new server to do this without receiving a security exception from a browser.

  • 1
    Look up SNI (Server Name Indication). – Rob W Jun 01 '16 at 06:53
  • @RobW Found the following: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm - This covers something I already tried and still had a security exception with multiple browsers. Both certs are wildcard certs. –  Jun 01 '16 at 08:57
  • Are you using modern browsers (e.g. Firefox/Chrome, not IE8 on Windows XP), and did you verify that the server sends the correct response (expected certificate matching the website's domain of the requested URL, and a redirect to the correct URL)? – Rob W Jun 01 '16 at 10:20

2 Answers2

4

... I've determined that the HTTP request sent before the SSL connection dictates to the browser which IP address the domain is registered against.

This is wrong. A HTTP request does not determine any relation between a URL/hostname and an IP address. This is done by DNS. But if the redirect is done to the same hostname then the same IP address will usually be used. But it might be a different IP address if multiple IP addresses are associated with the same hostname in DNS.

As a result, any forced redirects will subsequently use the original certificate.

If you are redirecting from HTTP to HTTPS then there is no original certificate, since HTTP has no certificate, only HTTPS. If you redirect from HTTPS on host A to HTTPS on host B then the first access (to host A) must result in the certificate for host A and the second request (to host B) must result in the certificate for host B.

I have an Apache2 server and was forcing a 301 redirect from my old https domain to a new https domain. This caused problems no matter what settings I tried.

In this case you redirect from one hostname to another hostname. The target IP address might be different but it might also be the same if both names are hosted on the same system. But this actually does not matter.

All what matters is that the hostname in the URL must match the subject(s) of the certificate. And the redirect changes the URL and thus might change the hostname of the URL. It does not matter if there are different IP involved or not: if the hostname in the URL does not match the subject of the certificate the validation will fail.

Thus what you need is either:

  • Have a certificate which includes both hostnames, i.e. the one you redirect from and the one you redirect too. Use this certificate for both hostnames.
  • Or have different certificates for each hostname and set it up, so that the certificate matches the hostname of the server. If both hostnames are served on the same IP address then the clients would need to support SNI which all current browsers do but not all bots or other tools/libraries.
Steffen Ullrich
  • 13,717
  • Hey there Steffen, took some personal time to learn this better and understand the above. Thank you. As the situation was being pressed, I went with separate IPs instead of SNI. Cheers for the overview. –  Jun 03 '16 at 06:01
1

The redirect should not the problem here. Try disabling the redirect and put a static file on your old domain. Are you still getting certificate issues?

Try both domains on SSLLabs and make sure there are no major issues.

Both domains should have their own certificates. On very old browsers, without SNI (Server Name Indication) you will need two IPs for this setup.

marv51
  • 111