[BlueOnyx:20082] Re: SSL redirection

Michael Stauber mstauber at blueonyx.it
Thu Sep 8 12:41:17 -05 2016 

Hi Darren,

> But if I try to go to a site that does not have 
> an SSL certificate using https -
> https://www.othersite.com
> I would expect it to fail, but instead I first 
> get a "ERR_CRT_COMMON_NAME_INVALID" warning from
> Chrome, and then if I proceed it redirects me
> to https://www.site.com
> 
> It has been this way in BX for as long as I 
> can remember, but is it something that is
> actually solvable?

Generally: This is a fundamental protocol issue. You will have this with
any browser and any web server.

So your scenario is this:

Vsite named www.site.com with these aliases:

site.com
www.othersite.com
othersite.com

The certificate is only valid for www.site.com and site.com.

When you now make an HTTPS connection to either www.othersite.com or
othersite.com, the webserver will send the SSL certificate to the
browser. Which then realizes: This SSL cert is not valid for the domain
it's connecting to and it will raise an error.

That's totally expected and normal behaviour. That's how it *must* be.

The redirect that then happens? That's configurable for the Vsite. See
"Services" / "Web" and the checkbox "Web Alias Redirects". If ticked,
any access to a website alias will redirect to the FQDN of the Vsite.

If you want to avoid the SSL errors when a web alias is accessed via
HTTPS then you have two choices:

a.) Get an SSL certificate that is valid for not only for www.site.com
and site.com, but also for *all* web aliases. This can be done via the
GUI for the "Let's Encrypt" certificates. SSL certificate vendors also
usually have this option for their higher priced certificates.

b.) If you want to keep your current certificate for now: Remove all
website aliases that are not covered by the SSL certificates validity.
Create a separate Vsite for that. Then put in mechanism to redirect all
accesses to that Vsite (via .htaccess and the index page) to redirect to
https://www.site.com. If you want you can also enable SSL on that second
Vsite and put in a "Let's Enrypt" certificate for that, so that even
HTTPS accesses are working and are properly redirected to the primary Vsite.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list