Re: How to deal with www and non-www domain names with one certificate?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Ed,
When I am setting up a server or virtual host, I start with this:
https://github.com/h5bp/html5-boilerplate/blob/master/dist/.htaccess

That's the configuration file from a project that is intended to jumpstart web development projects and set smart defaults. It is well documented particularly with inline comments.

I believe the default configuration is what you're describing but if you need to make adjustments you can just comment or uncomment the appropriate settings for your use case.

I then use Certbot to generate an SSL certificate that covers both the naked domain and the www subdomain (and any other subdomains).

These 2 documents outline how to set up the configuration files:
https://httpd.apache.org/docs/2.4/configuring.html
https://httpd.apache.org/docs/2.4/sections.html

My suggestion would be to use the code in the HTML5 Boilerplate (the first link) but do so in your main config file so that you avoid using `.htaccess` files (and `AllowOverride` directives) altogether.

Another tool you might find useful is the Mozilla SSL configuration generator

It looks like you shared both the public and private encryption keys when you included the SSL certificates so you should generate new keys/certificates.

Hope that helps.

-Adam Powell
Founder, ADA First

On Tue, Feb 4, 2020 at 1:03 PM edflecko . <edflecko@xxxxxxxxx> wrote:
I don't understand how to deal with forcing all connections to www.sierraprogress.org to simply sierraprogress.org , forcing all connections to my website with https , and using only one certificate per domain name?

Here's my unique server information:
CentOS 7
Server version: Apache/2.4.41 (codeit)
OpenSSL 1.1.1c

1.) Forcing all connections to www.domainname.com to domainname.comis best done with a rewrite rule, isn't it? I've found some examples online, but I don't know if one is better than the others?

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^([^.]+)\.sierraprogress\.org$ [NC]
RewriteRule ^(.*)$ https://sierraprogress.org/$1 [R=301,L]

RewriteEngine On
RewriteCond %{HTTP_HOST} ^sierraprogress\.org$ [NC]
RewriteRule ^ https://www. sierraprogress.org %{REQUEST_URI} [R=301,L]

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.sierraprogress.org
RewriteRule (.*) https:// sierraprogress.org /$1 [R=301,L]

Since I want ALL websites that this server will host to remove the www AND be https connections, maybe the first example is best?

Do I just place this code snippet in my httpd.conf file?

2.) Here's my sierraprogress.org.conf file:

<VirtualHost *:80>
    ServerName sierraprogress.org
    ServerAlias www.sierraprogress.org
DocumentRoot /var/www/sierraprogress.org/public_html
<Directory /var/www/sierraprogress.org/public_html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>
    ErrorLog /var/www/sierraprogress.org/error.log
    CustomLog /var/www/sierraprogress.org/requests.log combined
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot /var/www/sierraprogress.org/public_html
    Protocols h2 h2c http/1.1
    ServerName sierraprogress.org
    ServerAlias www.sierraprogress.org
<Directory /var/www/sierraprogress.org/public_html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>
ErrorLog /var/www/sierraprogress.org/error.log
    CustomLog /var/www/sierraprogress.org/requests.log combined
    SSLEngine on
SSLCertificateFile /etc/httpd/ssl/sierraprogress.crt
    SSLCertificateKeyFile /etc/httpd/ssl/sierraprogress.key
SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>

The one certificate I'm using ( sierraprogress.crt) works fine for sierraprogress.org connections but, of course, will NOT work for www.sierraprogress.org connections because of the domain name mis-match. I've also tried using a wildcard certificate for *.sierraprogress.org (see below), but I couldn't get that to work at all.

Suggestions on how to handle these issues?

Thank you for your time and suggestions!
Ed

Certificate Decoder - https://www.sslshopper.com/certificate-decoder.html

-----BEGIN CERTIFICATE-----
MIIIRTCCBy2gAwIBAgIRAOKGYmn0tkDkNQnJmw6pxPUwDQYJKoZIhvcNAQELBQAwdjELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3IxEjAQBgNVBAoTCUludGVybmV0
MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMTFkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcN
MjAwMjAzMDAwMDAwWhcNMjIwMjAyMjM1OTU5WjCB9zELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTk1
ODExMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpTYWNyYW1lbnRvMRMwEQYDVQQJEwpT
dWl0ZSA0NTU0MRIwEAYDVQQJEwkxMTAyIFEgU3QxOjA4BgNVBAoTMUNhbGlmb3JuaWEgQ29tbXVu
aXR5IENvbGxlZ2VzIENoYW5jZWxsb3IncyBPZmZpY2UxKjAoBgNVBAsTIVNpZXJyYSBDb21tdW5p
dHkgQ29sbGVnZSBEaXN0cmljdDEdMBsGA1UEAwwUKi5zaWVycmFwcm9ncmVzcy5vcmcwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDesbsGiNvbFKliUNCDwIi2vlQLZUReIy+RG+WQMT7/
OFxUoqmakn425m7NcobMSE6YPhzpnSJrULaMWqipYYYm1L20oLcrCsE4yFsCT1pZcBwGDxbLjJHp
izD18Q/KUub/shkpVzaFi6L2po6ePeUfIvutT0qZqGVZ/OFumWRMc6AXpoByxnKc6V5JAmMKl8rK
gYZHKjzYaTo740IVqqTSfWNRMQjk8DH0H9MpztryZZXiuFOpc0v6nOMjnarcvejod823/+9yWNJS
bLZPZ9msaeTRcElhg3WGyTiHqDIa7wBIQ9pv0r+1oOxSJhuX8ikctUBgrW9y7AbuIbOg2ehIpgvS
wEronErkdE3c+XR1czU9+swklVYNM+mVLLUCVHKjiq1spvaPM7x7yor9Y8/irU20CnK3ei19dtH0
PjghyENMotP1aHqixiROG2knfV1OGZFNoavTcd2P65+tqLjvnfvBJmozny48WzIMtDj7diuk82R0
EWxvH5l5B75gYc58v1Ilc1Zj0ZJb86hD2SFMc/tyTnh2jAK3J/PkTIkJUBFiayNt+pmXgpeoDXU4
MPlCZ1lQPndKFrQF8fiQCGi+gWFe14ce8YUMNpUt3MADqgix/K/Y5CYxj/ZoYFcNPrSeD10fCfgv
f5kqC0DpzW5kTjPd/7PI5DdgRgPn1wq/nQIDAQABo4IDSjCCA0YwHwYDVR0jBBgwFoAUHgWjd49s
luJbh0umtIascQAM5zgwHQYDVR0OBBYEFOHuaAxD1C5HSZGgBA0qVgTht+QaMA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBnBgNVHSAE
YDBeMFIGDCsGAQQBriMBBAMBATBCMEAGCCsGAQUFBwIBFjRodHRwczovL3d3dy5pbmNvbW1vbi5v
cmcvY2VydC9yZXBvc2l0b3J5L2Nwc19zc2wucGRmMAgGBmeBDAECAjBEBgNVHR8EPTA7MDmgN6A1
hjNodHRwOi8vY3JsLmluY29tbW9uLXJzYS5vcmcvSW5Db21tb25SU0FTZXJ2ZXJDQS5jcmwwdQYI
KwYBBQUHAQEEaTBnMD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vSW5Db21t
b25SU0FTZXJ2ZXJDQV8yLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNv
bTAfBgNVHREEGDAWghQqLnNpZXJyYXByb2dyZXNzLm9yZzCCAX4GCisGAQQB1nkCBAIEggFuBIIB
agFoAHUARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAFwDGMvfQAABAMARjBEAiBS
1GLLzhw2uxvhnWSqc3D5corPiWhG8/3tjgV/Ae20QQIgDXVYeoOB6vHJISfi6Y9CLnmhcXvtCYRy
rTA2vx+uOO0AdwBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAXAMYy+yAAAEAwBI
MEYCIQDZtOwDM/INlQIIMfJtAy8+e7dLfj3iiWrBS9snu3XPJAIhALyFF8aX2k5zrGflzhfF8Bvu
+JXYx+YHIPzQuO/4KKCOAHYAIkVFB1lVJFaWP6Ev8fdthuAjJmOtwEt/XcaDXG7iDwIAAAFwDGMv
bgAABAMARzBFAiA8Egg+2KvuX5cnBJPd+jLn3Ze5C5PUYtn/CP7JkduU8QIhAO+jSeVlXzep0gBy
Vf2EYXkag2hZ7k4kDwVuxpIP2u4XMA0GCSqGSIb3DQEBCwUAA4IBAQAFoLuCc6SvsFmiPoANyHYR
pf5nsRRh+u2K/G4vmpJbOOAXPUCguh4HeTXYR7ELxwsHkquXB9UkK87yA/j7b8xSSjZOswRXQ0hA
yEZKwhn9o5UDJwhO2Gg/JnWuHdPJteJkFUVk3RRKu1FNmFPzRs3AhulWKt9WMKTainZbdqoz0BqS
r6JXum67C3Q2j8bBOrJd60EmQeY2qQTsv/dNEHfbdNQinNJr/E7G9knlN/iOMq3S9aTs2xvA76Yo
EkKDAPH7/e7E3GnNdbiQbEuTCWFS2koP5z/Vnxq4ItRImt7U9y91ehU9geK4rvr8Ud0n64khLPuy
4EwEmKxGvbjugBN4
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
-----END CERTIFICATE-----
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux