How to redirect from FR to COM when using HTTPS [duplicate]

I have two domains : my-domain.com and my-domain.fr

I want to redirect traffic as followed :

  • my-domain.com:80 -> my-domain.com:443
  • my-domain.fr:80 -> my-domain.com:443
  • my-domain.fr:443 -> my-domain.com:443

I've chosen to only use .com, am I right ? I guess yes. Because I only have to manage one certificate : the .COM one.

My /etc/apache2/sites-available/default :

NameVirtualHost *:80

<VirtualHost *:80>
   ServerName www.my-domain.com
   ServerAlias my-domain.com
   Redirect permanent / https://www.my-domain.com
</VirtualHost>

<VirtualHost *:80>
   ServerName www.my-domain.fr
   ServerAlias my-domain.fr
   Redirect permanent / https://www.my-domain.com
</VirtualHost>

My /etc/apache2/sites-available/default-ssl :

NameVirtualHost *:443

<VirtualHost *:443>
   ServerName www.my-domain.com
   ServerAlias my-domain.com
   DocumentRoot /var/www/my-domain/
   ErrorLog /var/log/my-domain/my-domain.com.error.log
   CustomLog /var/log/my-domain/my-domain.com.access.log combined

   GnuTLSEnable on
   GnuTLSPriorities NORMAL
   GnuTLSExportCertificates on
   GnuTLSCertificateFile /etc/apache2/ssl/certs/my-domain.com.crt
   GnuTLSKeyFile /etc/apache2/ssl/private/my-domain.com.key
</VirtualHost>

<VirtualHost *:443>
   ServerName www.my-domain.fr
   ServerAlias my-domain.fr
   DocumentRoot /var/www/my-domain/
   ErrorLog /var/log/my-domain/my-domain.fr.error.log
   CustomLog /var/log/my-domain/my-domain.fr.access.log combined

   GnuTLSEnable on
   GnuTLSPriorities NORMAL
   GnuTLSExportCertificates on
   GnuTLSCertificateFile /etc/apache2/ssl/certs/my-domain.fr.crt
   GnuTLSKeyFile /etc/apache2/ssl/private/my-domain.fr.key
</VirtualHost>

But I'm getting a SSL certificate error when I'm going to my-domain.fr because it tells me that I wanted to go on my-domain.fr and I'm not.


Solution 1:

I'm afraid you've misunderstand the order in which things happen. The SSL connection is established first, and only once that is done will the HTTP request be passed to the server and get a redirect in response.

If it were possible to do the redirect to a different domain before checking the server's SSL certificate, it would be very easy to send any visitor on to any random domain. Just imagine what this could do to an online banking site, if a simple man in the middle attack could redirect a user to a different site without even an SSL warning...

The easiest solution here is that you get a certificate with Subject Alternative Names and you list all the domains that you want to use the certificate for. That way you will still only have one certificate to keep updated, but it will work for all your domains.

Solution 2:

Your webserver don't know the domain requested when you're in HTTPS, so it will always request the first *:443 virtualhost you have configured. You need openssl-1.x for SNI to work.