4

I have a virtualhost directive that serves up a custom 404 error if invalid subdomain is entered:

<VirtualHost *:80> # the first virtual host ServerName site_not_found RedirectMatch 404 ^/(?!custom_error) </VirtualHost> <VirtualHost *:80> ServerName example.com ServerAlias ??.example.com </VirtualHost>

I want to set up a virtualhost to show the same custom error via a HTTPS connection. I have tried the following:

<VirtualHost *:443> # the first virtual host ServerName site_not_found RedirectMatch 404 ^/(?!custom_error) </VirtualHost> <VirtualHost *:443> ServerName example.com ServerAlias ??.example.com # SSL options, other options, and stuff defined here. </VirtualHost>

But the server would not start and an error is emitted:

Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

It seems that an SSL certificate is required even if the SSLEngine is not turned on for this virtual host. Is there a way to get around the problem besides providing a cert? Turning off the module is not an option since I need SSL for the virtual server example.com.

Improve this question
3
  • See: Can Https work without a certificate? Commented Sep 29, 2012 at 12:58
  • 1
    I know this is an old question, but now that it's 2015 there is a service called Let's Encrypt that makes the process of installing a valid, publically trusted SSL certificate for small installations like this incredibly easy, and best of all, free. Commented Dec 8, 2015 at 14:49
  • In my humble opinion this is really silly behavour by apache. This is a "default" https port rather than a requirement to have https configured on the port. I can set up/not set up https on any port I choose. Commented May 6, 2018 at 12:50

4 Answers 4

Reset to default
7

It seems that an SSL certificate is required even if the SSLEngine is not turned on for this virtual host. Is there a way to get around the problem besides providing a cert?

No - when your browser has https in the URL, it expects to talk SSL. it doesn't, it'll fail. Apache is being nice by telling you this, otherwise you'd have some obscure browser errors to comprehend with. Therefore, you'll need to configure SSL in Apache before you can use port 443.

If you don't want browser warnings about it being a bad SSL certificate, you'll need to buy one from a Certificate Authority. You can get a free one from https://cert.startcom.org/ which are becoming accepted in more and more places but probably don't have the same level of recognition as paid ones (especially in older machines). I use this for my development sites and have yet to see a warning about them being untrusted, but then again I only use relatively new OSs/browsers.

Improve this answer
5
  • 1
    The server failed to start. It has nothing to do with the browser. Commented Sep 29, 2012 at 10:08
  • I made my answer clearer: you need to setup SSL certs to use the SSL port. Commented Sep 29, 2012 at 10:09
  • Ok, I get what you mean -- there is no way to avoid not having a cert. Thanks for the freebee :) Commented Sep 29, 2012 at 10:27
  • I don't agree that Apache is doing anyone any favours with this "rule". It should be the server administrator's prerogative to configure a server as desired, selecting whatever ports desired to communicate via the chosen protocols. Commented May 6, 2018 at 12:58
  • 1
    @Pancho It does, but you can not have name-based virtual hosts with and without SSL on the same port, as the SSL handshake is the first thing that happens after the connection has been established. It is indeed possible to have a non-ssl webserver listening on port 443, as long as the SSLEngine is disabled for every virtual host on that port. However, it will result in an error if any browser tries to connect there with SSL. You would need to access it like http://domain:443/. Commented Mar 10, 2020 at 21:56
2

Yes, there is a way:

Configure your Apache's Listen Directive (on Ubuntu /etc/apache2/ports.conf)

There will be something in it like: Listen *:443

You can enforce HTTP on it by adding the Protocol to that:

Listen *:443 http

That way Apache2 is able to listen on Port 443 as a simple HTTP Server

Found here: https://httpd.apache.org/docs/2.4/bind.html

Improve this answer
1
  • I use a <VirtualHost :443> ServerName www.a.b.c => RewriteRule (.) a.b.c </VirtualHost>. Then I have another full <VirtualHost *:443> ServerName a.b.c .....</VirtualHost> which enables SSLEngine, has the cert etc etc. This approach allows me to purchase a single cert for domain a.b.c and not to care whether people come in on a.b.c or a.b.c. The Apache implementation breaks this and sadly although yours is a great approach I don't think it helps me Commented May 6, 2018 at 15:54
0

Ignoring the Apache error due to not having any SSL certs, what you're attempting to do is not possible unless you create or buy a wildcard certificate to cover the "invalid" subdomains.

If all your clients are internal you could create a mini signing authority and install all the CA cert on all of your boxes.

If your clients are external then you will have to buy a wildcard certificate which costs around 600 USD

Improve this answer
2
  • 1
    wildcard certificate which costs around 600 USD. No they don't. Commented Sep 29, 2012 at 11:00
  • @jay - ok, I should have been clearer. They can cost 600 USD depending on your requirements for a wildcard cert. I buy mine from Digicert as I require unlimited CSR signing for multiple private keys and unlimited SANs. Commented Sep 30, 2012 at 12:16
-1

I found a simple redirect solution that works a treat added inside your sites vhost after your <VirtualHost xxx.xxx.xxx.xxx:80> entry...

<VirtualHost xxx.xxx.xxx.xxx:443> #ServerName www.HttpSiteDomainName.com #ServerAlias HttpSiteDomainName.com #DocumentRoot /WhereeverSiteIsOnServer Redirect 301 / http://www.HttpSiteDomainName.com/ </VirtualHost>
  1. xxx.xxx.xxx.xxx is your site server IP
  2. Replace 'HttpSiteDomainName.com' with the site domain name and extension
  3. Dont forget to test and restart Apache for your server
  4. I added the #comments for reference but you can uncomment and should still work

Now when you go to the https of the site, it will redirect to http

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.