DNS issues and/or https issues


#1

Hi -

Summary

I’ve been developing on and off the web for a long time, but my DNS knowledge is low, I’m new to load balancers, and I have very little understanding of https and certificates.

I’m using a DH registered domain on an AWS-hosted site.

I have two specific questions based on the behavior I’m observing:

  1. why would http://domainname redirect to http://www.domainname, but https://domainname does not redirect to https://www.domainname?
  2. why would https://www.domainname resolve correctly, but https://domainname returns Server Not Found?

Read on for further details, as well as changes I’ve made/attempted to correct these issues (successfuly, in some, but not all cases).

Thanks in advance for any help that anybody can provide.

Details

I need all of these URLs to resolve to https://www.domainname

I’ve had the particular domain name registered here at DH for years. It was previously fully hosted (here at DH).

I changed it from fully hosted to DNS only, and I created a *.domainname CNAME record (at DH) pointing to my AWS LB.

Initial behavior:

Note that I made no manual changes to DNS or apache configs to get http://domainname/ to redirect to http://www.domainname/. So I don’t understand why/where that was happening.

I added a https rewrite rule in the apache.conf files on the ec2 instances, leading to the following improvements in behavior:

This left only https://domainname/ not resolving correctly

In attempting to resolve this, I tried adding another CNAME record (without a subdomain name) pointing to the LB, but got an error saying that CNAME records were only valid for subdomains.

I came across https://ryans.dream.press/dns-3/custom-dns-records/point-domain-only-using-cname-record/ and followed its instructions to “set your domain to redirect to the www subdomain of the site… on the Manage Domains Page”

After doing that,

Your connection is not secure
domainname uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is not valid for the name domainname.
Error code: SEC_ERROR_UNKNOWN_ISSUER

To reiterate, https://www.domainname resolves cleanly, without this error. Only https://domainname (without the www) produces this error.

(I understand that this is a separate - new - issue from the routing anomalies I asked about in the initial two questions. If anybody can help on this, great. If not, stay focused on the routing anomalies. I’m including this in case it helps someone understand what my original problem(s) was/were.)

I’ve also tried adding a www rewrite rule in the apache.conf files on the ec2 instances, but no change in forwarding https://domainname to https://www.domainname.

I’m stuck. I don’t know if this is an issue with my DNS setup (at DH), or one or more issues with my AWS setup, or both.

AWS details:

  • AWS application LB (not a classic LB or network LB) because it seems to be what AWS recommends
  • listeners on 80 and 443, both forwarding to target group on 443
  • AWS ACM certificate for *.domainname on LB
  • ec2 instances are ubuntu 16.04
  • self-signed certs on ec2 instances, built following https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
  • my apache.conf files on the ec2 instances do not specify a ServerName directive. What would I set the ServerName to, given that the LB resolves the domain name?
  • security group inbound rules allow 80 and 443 on both LB and ec2 instances (from all addresses on both IPV4 and V6)