Alias subserver with SSL, for static cookieless domain - Workflow

3 posts / 0 new
Last post
#1 Mon, 08/26/2019 - 17:10
Rory Bremner

Alias subserver with SSL, for static cookieless domain - Workflow

The goal here is to implement a static asset domain so that CMS can do cookieless transfers.
What is the best way to create an alias-subserver (static.somedomain.com) that can serve all files in www.somedomain.com and can have its own SSL certificate?

My Solution:

  • Assume that you have mymaindomain.com as your default website for the single IP address of your VPS.
  • Assume that you have mydomain1.com as the parent server for the alias you want.
  • Create an alias subserver for mydomain1.com called static.mydomain1.com
  • Important: You MUST put a checkmark for DNS domain enabled? (just good practice as suggested)
    Important: You MUST put a checkmark for Apache website enabled?
    (I am sure that last month I did not have to do this. Today if I do not check this, the alias is taking me to mymaindomain.com. This makes me wonder, what is the purpose of having the option unchecked? Can anyone tell me?)
  • You cannot request for SSL in static.mydomain1.com, you have to do this from mydomain1.com.
  • The options presented there are now as follows (just click request certificate):
    mydomain1.com
    www.mydomain1.com
    mail.mydomain1.com
    autoconfig.mydomain1.com
    autodiscover.mydomain1.com
    static.mydomain1.com (this url is now accessible)
    www.static.mydomain1.com (this url is now accessible)
    mail.static.mydomain1.com (this url is now accessible)

NOTE: If the VS mydomain1.com already exists and you have already an SSL installed, by creating the static alias (point #3) , Virtualmin will do step 4 automatically for you! Thanks VA!

My questions:
1. What is the purpose of having the option "Apache website enabled?" unchecked? Is this a useless option?
This creates an NON-ALIAS for the mydomain1.com but instead is an alias for mymaindomain.com and uses the SLL from mymaindomain.com.
This creates problems when requesting SSL, failing with '404 Not Found DNS-based validation failed', because it cannot create '.well-known' in mymaindomain.com.
Since it is using the mymaindomain.com SSL, it also is useless as a static domain for mydomain1.com causing problems in the browser 'Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID'
2. As already mentioned, I am pretty sure that last month I left "Apache website enabled?" unchecked, and enabled only 'DNS domain enabled?'.
This created the alias to mydomain1.com OK, and all I had to do was request a certificate by manually adding 'static.mydomain1.com' to the list (after autodiscover).
I still have the VPS to prove it. Was it just a fluke?

Tue, 08/27/2019 - 10:31
andreychek

Howdy,

The "Apache website" features specifies whether there is an entry in the Apache config for the domain in question.

If that option is disabled, that website shouldn't be accessible via a web browser -- you'd instead only see the default website when browsing to that domain.

It should be no problem to request an SSL cert for an alias with that feature enabled, that's how most folks gets certs for things like a main example.com domain, and then an alias example.net domain.

If that's not working, that means something is awry, and would just require some troubleshooting to figure out what.

-Eric

Tue, 08/27/2019 - 11:44
Rory Bremner

Still, I want to know the usage of an SSL certificate on static.mydomain2.com, which redirects to mymaindomain.com.
I want to understand this.

From my testing:
mymaindomain.com
static.mymaindomain.com
mydomain1.com
static.mydomain1.com
mydomain2.com
static.mydomain2.com
mydomain3.com
static.mydomain3.com
mydomain4.com
static.mydomain4.com

When "Apache website enabled?" is unchecked, SSL request failed on 2/5 domains with 404.
(I think creating an index.html at the root of mydomainN.com and accessing it wakes up Apache so it will allow access to .well-known)
Anyway, all static domains were redirecting to mymaindomain.com (even the ones which got an SSL), so I had to give that method up.

PS. To All - It is difficult to troubleshoot this issue - you have to have a few domains to play with, so don't bother. Just keep in mind.