• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Redirect all undefined subdomains to main domain not working

Azurel

Silver Pleskian
I want redirect all undefined subdomains to www.example.com. So I have add in my apache settings for "example.com" in "Additional directives for HTTPS"
ServerAlias *.example.com
<Directory /var/www/vhosts/example.com/httpdocs>
AllowOverride None
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.example.com [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
</Directory>

But instead of redirect abc.example.com to www.example.com my browser shows me URL abc.example.com with error NET::ERR_CERT_AUTHORITY_INVALID
In DNS I have wildcard "*" entry for server ips. I'm missing here a point or is it necessary to create a wildcard domain?

CentOS Linux 7.7.1908 (Core) / Plesk Obsidian 18.0.26
 
Last edited:
  1. Create example.com in Plesk
  2. Set preferred to www.example.com for example.com
  3. Create "*" (wildcard) subdomain *.example.com, which points to httpsdocs of example.com
  4. If you got subdomains defined like smtp.example.com, they will work like normal. If non-existant subdomains are chosen e.g. 123-321.example.com, they will go to example.com, which rewrites to www.example.com
  5. Voilá
See also:

 
Thanks, but exactly that was my question. ;)
It is or is it not necessary to create a wildcard domain. Its look like overhead to create a subdomain only for a simple redirect to main domain.

But I tested it with extra *.example.com subdomain. Still I get the same result in browser

NET::ERR_CERT_AUTHORITY_INVALID
Subject: Parallels Panel
Issuer: Parallels Panel
Expires on: 07.11.2017
Current date: 21.04.2020

So I continue to assume that there is a mistake somewhere else.
Especially why:
Issuer: Parallels Panel
Expires on: 07.11.2017
 
Thanks, but exactly that was my question. ;)
It is or is it not necessary to create a wildcard domain. Its look like overhead to create a subdomain only for a simple redirect to main domain.

But I tested it with extra *.example.com subdomain. Still I get the same result in browser

NET::ERR_CERT_AUTHORITY_INVALID
Subject: Parallels Panel
Issuer: Parallels Panel
Expires on: 07.11.2017
Current date: 21.04.2020

So I continue to assume that there is a mistake somewhere else.
Especially why:

I assumed you do have a current wildcard ssl certificate?

When connecting, the SSL certificate is first:
  1. Connect to e.g. 123.example.com, which is subdomain covered by *.example.com
  2. Client connects to 123. example.com Server internally redirects to certificate of example.com
  3. SSL handshake incl certificate (aka needs a valid wildcard certificate for *.example.com). If certificate is not valid, then self-signed is used.
  4. Now connected to 123.example.com on httpdocs of example.com

Bottom line: you need to read above article and make sure you got a valid widlcard certificate for example.com, which is also set for *.example.com :) (but should be automatically anyways).
 
Thanks for your patience and yes I have added SSL to wildcard domain. In main domain click on "SSL/TLS Certificates" and "Reissue Certificate"-button and select "Secure the wildcard domain". It shows:
Wildcard SSL/TLS certificate
*.example.com is "Secured"
Command dig -t txt _acme-challenge.example.com +short shows me the correct TXT value for _acme-challenge.

But in browser a random subdomain shows me this
NET::ERR_CERT_AUTHORITY_INVALID
Subject: Parallels Panel
Issuer: Parallels Panel
Expires on: 07.11.2017
Current date: 21.04.2020
For *example.com I can only "upload" a additional certifcate.

So I don't get it. ^^°
 
Thanks for your patience and yes I have added SSL to wildcard domain. In main domain click on "SSL/TLS Certificates" and "Reissue Certificate"-button and select "Secure the wildcard domain". It shows:

Command dig -t txt _acme-challenge.example.com +short shows me the correct TXT value for _acme-challenge.

But in browser a random subdomain shows me this

For *example.com I can only "upload" a additional certifcate.

So I don't get it. ^^°

  1. The ACME challenge is only to issue the certificate.
  2. Did you check the certificate on Example Domain ? Reviewing the certificate should show "*.example.com" and "example.com".
  3. Like in the article: create the subdomain "*.example.com" but pointing to the homedir of "example.com". You should have the same certificate in "*.example.com" like in "example.com". If not it must be selectable. Or else you made a mistake along the road...
If you are sure you did everything right and the problem persists, by then you should post the URL.
 
Certificate in Chrome said
CN = example.com

DNS-Name=*.example.com
DNS-Name=example.com

www.ssllabs.com/ssltest/analyze.html said for "test.example.com" = "Certificate name mismatch"

In subscription "*.example.com" is a LetsEncrypt certificate, the same in "example.com":
Domain name = example.com

But for wildcard should be (so I think)
Domain name = *.example.com
Because create a new one, its recommend as *.example.com
 
Certificate in Chrome said


www.ssllabs.com/ssltest/analyze.html said for "test.example.com" = "Certificate name mismatch"

In subscription "*.example.com" is a LetsEncrypt certificate, the same in "example.com":
Domain name = example.com

But for wildcard should be (so I think)
Domain name = *.example.com
Because create a new one, its recommend as *.example.com
Its getting weird. Seems we found a bug.

Just yesterday I secured a domain with a wildcard domain and had it all work. Now the nginx "randomizer" kicks in, in default config. So when connecting to a non-existant domain, the nginx server doesnt catch the wildcard, but instead a random other domain. Usually the server itself.

Back to testing. You have nginx edge too?
 
I do not know what "edge" means, but I use nginx too. Enabled in Apache & nginx Settings as:
- Proxy mode
- Smart static files processing
 
Ok so I dont see any nginx directive, where a server listens
I do not know what "edge" means, but I use nginx too. Enabled in Apache & nginx Settings as:
- Proxy mode
- Smart static files processing

Ok we got a similar config.

@IgorG we got a problem here. Seems we found a bug - can you take a look?

  1. Configured *.example.com subdomain according documentation.
  2. Yesterday I know for sure the wildcard worked for frontend, but plesk backend listed errors under SSL/TLS/Lets Encrypt icon. (fixed later or similar)
  3. Today the error under the SSL/TLS icon is gone, but the wildcard doesnt work for frontend anymore.
Weird findings:
  • I refreshed all configs fro web servers
  • I cant see any nginx server listen directive under vhosts, which grabs "*.example.com" - nada, nothing
  • I added a directive under nginx, leading to a forward to Apache.
  • Apache apparently doesnt grab the domain "*.example.com" either. So I need to rewrite Apache listen directive too.
Bottom line: the last update broke above behaviour (according documentation) for wildcard subdomains.

In my case: CentOS 7.5, Obsidian 18.0.26, web host edition
 
Back
Top