Topic: create error page for no-exist SSL virtual host in apache2

[peter.debnar]

hello,

I have virtual host in apache2 (Ubuntu) on servers where are 15 virtual hosts (HTTP) and 3 virtual hosts HTTPS. if I make a request in the browser to an address that doesn't have an HTTPS virtual host in Apache2 (I don't even have a certificate), then I get the first HTTPS page from this server (first SSL virtual host with certificate), which is not good. i would like to get an apache error saying the https page does not exist in such a case. how and where should I set it?
loud listening

thank you form help,

[tangent]

This can be done with some simple mod_rewrite logic in your default virtual host.

Basically, check if the host header matches the hostname of your first (required) SSL host certificate, and if not rewrite the request to a suitable error page hosted from your default site, e.g.

[peter.debnar]

yes, I know this method, but I need to have a certificate for it - so that I can subsequently do the redirection. but is there any way to do this without a certificate? I don't even want to make an SSL host for some sites, I just want to have e.g. displayed information that the page does not exist if someone enters HTTPS pages without a certificate into the browser

[tangent]

For HTTPS connections Apache uses Server Name Indication (SNI) to determine which certificate to send back to the client, based on the host name in their TLS request and your available VHOSTS (and corresponding certificates). All modern browsers support the SNI TLS extension.

So by definition, if one of your clients requests a secure connection for one of your non-secure sites (one for which there is no corresponding secure VHOST), then they'll have already been sent the certificate from your default secure VHOST, and presumably accepted the mis-match challenge.

So on the basis that the client is now connected to your default secure VHOST, why can't your send them an appropriate custom error page, which includes a suitable redirect link for them to follow?

If you don't want to send the default secure VHOST certificate back to the client, for mis-matching site requests, then take a look at the SSLStrictSNIVHostCheck directive. However, this will cause the client TLS handshake to fail and they'll get a somewhat terse error message, which is probably not what you want.

[peter.debnar]

but in the case of default SSL host, I must to create a certificate (some multisite?) for all addresses anyway. so if I have the sites site1.ku.sk, site2.ku.sk, site3.ku.sk ... and I have an SSL virtul host only for site1.ku.sk ... then the default SSL host must have a certificate ( multisite) for site2.ku.sk and site3.ku.sk? so do I still have to have a certificate for these 2 addresses?

[mraddi]

Exactly!
To get rid of error-messages within the client when connecting to your default-vhost with a hostname not available within the certificate the only way is using a certificate with SAN (subject alternate name) for all your hostnames.
As soon you have this certificate there is no need to redirect these requests from https to http anymore

[tangent]

@mraddi - you beat me to it!

@peter.debnar - I think you are making things more complicated than they need to be.

Firstly, unless you're prepared for TLS client requests to be challenged due to a domain mismatch, you will need to configure Apache with a certificate for each domain you're serving. This can be done with individual certificates, or as you suggest, with a multi-domain certificate using Server Alternative Name (SAN) entries.

If a certificate contains a SAN field, then TLS clients are supposed to ignore the Common Name (CN) value and seek a match to one of the domain entries in the SAN list (which should also contain the CN entry).

Whether you choose to have an Apache VHOST for each of the domains in your SAN list is entirely down to you, noting you can choose to add extra domains to a given VHOST (defined with a ServerName directive), by using the ServerAlias directive.

Any client request that doesn't match a ServerName or ServerAlias entry in your defined VHOSTS, will be passed to the default VHOST, where you can choose to handle it accordingly.

One of the key benefits of multi-domain certificates is the opportunity to configure multiple VHOSTS to use the same certificate.

[peter.debnar]

thank you all, I understand (I also thought it was like this from the beginning, that there was no other option). the problem is that a colleague creates certificates for me, who doesn't want to create more certificates for me ... so I was looking into whether there really is a way around it without a certificate. you understand
thank you again, have a nice day

[James Blond]