Home / server / Questions / 1015024
Accepted
miguelmorin
Asked: 2020-05-01 09:41:39 +0800 CST

SSL certificate error in domain redirection

  • 772

I am managing two domain names and want to redirect one to the other. I set up a domain forwarding with 301 permanent redirection from domain S (source) to domain T (target). The server on domain T redirects all HTTP to HTTPS. The browser is redirected if I visit http://<domain-S>.

If I visit https://<domain-S> (note the S for TLS), I see:

Firefox detected a potential security threat and did not continue to <domain-S>.  ...

Firefox does not trust this site because it uses a certificate that is not valid for <domain-S>. The certificate is only valid for the following names: shortener.secureserver.net, www.shortener.secureserver.net

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Please note that the HTTPS configuration is working well for <domain-T>. I believe that the problem is that the SSL certificate for https://<domain-T> is being served for https://<domain-S>.

How can I redirect the domain before serving the certificate?

domain-name-system ssl redirect 301-redirect

3 Answers

  1. Best Answer

    You must provide a valid certificate when the browser visits https://<domain-s>, the certificate check is performed before processing the page content/redirects/... and this is by design.

    If you can't create a certificate for domain S and another for domain T, you can list both domains in Subject Alternative Name of your certificate: RFC5280, Section 4.2.1.6

    The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate.

    • 5

  2. There is no configuration change that will accomplish what you're trying to do - the problem is that the browser knows that the user tried to browse to domain-s and the website that was served up is protected by a certificate signed for domain-t. From the browser's perspective, domain-t is invalidly impersonating domain-s. The only way to change this would be to a Multi-Domain/SAN Certificate that is authoritative for both domain-s and domain-t. Alternatively, if domain-t is a subdomain of domain-s, you could use a wildcard certificate.

    In short, this is TLS doing it's job - notifying the user that the server they reached is actually at domain-t instead of where the user tried to go.

    • 2

  3. This does exactly what you're trying to do using nginx assuming they reside on different IPs (you didn't specify):

    server {
    listen 80;
    server_name olddomain.com;
    return 301 https://newdomain.com;
}

server {
    listen 443 ssl http2;
    server_name olddomain.com;
    ssl_certificate olddomain.fullchain.pem;
    ssl_certificate_key olddomain.privkey.pem;
    return 301 https://newdomain.com;
}

    If they reside on the same server/IP then you need to setup and use SNI which is supported on most modern browsers or use a common TLS certificate.

    • 1