How to avoid certificate mismatch

Topics: User Forum
Feb 4, 2010 at 4:40 PM

I have an IIS server which has one ssl certificate installed.  But the server has several domain names associated to it so that our users can type the short domain name to access their applications.  Actually all this does is a redirection to another server.  Some of our users are typing https://domain which causes the browser to pop up a warning message saying that the certificate doesn't match the domain.  Duh...  I though maybe I could catch the request before the https server poped up the mismatch warning by installing the rewrite filter and doing a rewrite from https to http, so I tried:

RewriteCond %{HTTPS} =on
RewriteCond %{SERVER_PORT} ^443$
RewriteRule .* http://%{SERVER_NAME}/

But when I try to go to https://domain, the log file shows the following:

Thu Feb 04 11:03:50 -  3084 - ReadSiteConfig: line   3: LogLevel = 2
Thu Feb 04 11:03:50 -  3084 - ReadSiteConfig: line   5: RewriteCond   %{HTTPS}  =on
Thu Feb 04 11:03:50 -  3084 - ReadSiteConfig: line   6: RewriteCond   %{SERVER_PORT}  ^443$
Thu Feb 04 11:03:50 -  3084 - ReadSiteConfig: line   7: RewriteRule (rule 1)  '.*'  'http://%{SERVER_NAME}/'   (null)
Thu Feb 04 11:03:50 -  3084 - ReadSiteConfig: WARNING: line $d: Rewriting to a fully-qualified URL. Do you want RedirectRule or ProxyRule?
Thu Feb 04 11:03:50 -  3084 - ReadSiteConfig: Done reading, found 1 rules (0 errors, 1 warnings) on 8 lines
Thu Feb 04 11:03:50 -  3084 - DoRewrites: Url (no decoding): '/'
Thu Feb 04 11:03:50 -  3084 - DoRewrites: No Rewrite

I also tried this:

RewriteCond %{HTTPS} =on
RewriteCond %{SERVER_PORT} ^443$
RedirectRule ^/(.*)$ http://%{SERVER_NAME}/ [R=301]

This shows the following in the log file.

Thu Feb 04 11:39:48 -  3404 - ReadSiteConfig: line   3: LogLevel = 2
Thu Feb 04 11:39:48 -  3404 - ReadSiteConfig: line   5: RewriteCond   %{HTTPS}  =on
Thu Feb 04 11:39:48 -  3404 - ReadSiteConfig: line   6: RewriteCond   %{SERVER_PORT}  ^443$
Thu Feb 04 11:39:48 -  3404 - ReadSiteConfig: line   8: RedirectRule (rule 1)  '^/(.*)$'  'http://%{SERVER_NAME}/'  [R=301]
Thu Feb 04 11:39:48 -  3404 - ReadSiteConfig: Done reading, found 1 rules (0 errors, 0 warnings) on 9 lines
Thu Feb 04 11:39:48 -  3404 - DoRewrites: Url (no decoding): '/'
Thu Feb 04 11:39:48 -  3404 - DoRewrites: No Rewrite

Any way to get around this, or do we have something else misconfigured?

Coordinator
Feb 5, 2010 at 1:10 PM

you want a redirect, not a rewrite, so the second of your attempts is closer.

I think the HTTPS server variable is either "on" or "off", but is never "=on".    So the RewriteCond that uses =on as the pattern will never evaluate to true.  Try this instead:

## Redirect HTTPS requests to HTTP requests
RewriteCond %{HTTPS} ^on$
RewriteCond %{SERVER_PORT} ^443$
RedirectRule ^/(.*)$ http://%{SERVER_NAME}/   [R=301]

 

Feb 5, 2010 at 1:15 PM

Ok, that seemed to do the redirect ok according to the log file, but I still get the certificate mismatch error.

Is there any way to get around this?

Coordinator
Feb 5, 2010 at 1:39 PM

It's possible (I don't know) that IE validates the SSL cert before any ISAPI is allowed to process the request. This would make sense: If the user declines the allow the use of the cert, then no request should be sent at all.   By the time IIRF sees the request, and redirects it, the cert check has already been done.

As for how to avoid that....One way might be to dis-associate the shortname from the cert, and get a new cert for that shortname.   But I'm not an expert in SSL setups.  Maybe try the forums at www.iis.net for help with that.