Fix mismatched SSL certificate on bare/TL domain

[timwood]

Because of the way DNS and Acquia hosting works our SSL certificate does not apply to the bare / top-level domain, drupalgovcon.org. We need to research and decide on a service to make this work so users that go to https://drupalgovcon.org/ aren't presented with the mismatch warning in their browser and forced to accept the certificate warning to proceed. We don't need/want to host any content under this domain, just a redirect to www.drupalgovcon.org. Also, if we need to take a simple approach of using some other external (hopefully free) hosting provider to install our SSL cert and serve up the redirect, we can do that.

Acquia has some documentation (sign in required) on how to do this using some external DNS services such as http://aws.amazon.com/route53/ or http://wwwizer.com/naked-domain-redirect

[sutch]

Some progress. To continue, probably need to begin testing with an actual SSL certificate.

Step 1: S3 bucket endpoint: http://drupalgovcon.s3-website-us-west-2.amazonaws.com

Step 2: DNS rule in Route 53: drupalgovcon.org A ALIAS s3-website-us-east-1.amazonaws.com. (z3aqbstgfyjstf)

Step 3: TODO: Create DNS record on Route 53 for www.drupalgovcon.org

Step 4: TODO: At domain registrar's site, change the nameservers for the domain to: ns-655.awsdns-17.net. ns-1524.awsdns-62.org. ns-71.awsdns-08.com. ns-1808.awsdns-34.co.uk.

Other steps, TBD:

Further research for using Amazon Cloudfront: http://docs.aws.amazon.com/IAM/latest/UserGuide/InstallCert.html http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#CNAMEsAndHTTPS http://stackoverflow.com/questions/28675620/cloudfront-redirect-www-to-naked-domain-with-ssl

[timwood]

@sutch Do we really need to change the nameservers to point elsewhere? I thought it would just be a simple https host which provides a server at a static IP we can point the bare domain A record at, install the SSL cert and configure a redirect to www.

[sutch]

Possible options. I will continue to update as I research and learn more.

• Amazon Web Services
  • Complex (still unsure how this will work and unsure of the actual cost). Requires Amazon to host nameservers, S3 bucket, Cloudfront, Route 53, Key Management Service. (S3: $0.004 per 10,000 GET requests, Key Management Service: http://aws.amazon.com/kms/pricing/)
• GoDaddy
  • May use any plan if SSL certificate purchased from GoDaddy, otherwise VPS or dedicated server is required.
  • VPS ($25/mo), static IP ($6/mo)
• wwwizer
  • Appears to default to forwarding bare domains and allows upload of SSL certificate (http://wwwizer.com/faq).
  • $9.95/month

[timwood]

Let's also look into wwwizer. They offer a $9.95/month plan for 100GB/month data transfer. Since we would only be serving 301 redirect that should be plenty. https://control.wwwizer.com/plans

[sutch]

I had looked at wwwizer and determined that it only offered the redirect for non-SSL sites. After reading additional information, it appears that their paid service does in fact offer redirects for SSL sites. This solution should work and is the easiest and least costly of the options found.

[timwood]

Once we have implemented a solution for this issue we should also submit our domain to https://hstspreload.appspot.com/

[bendygirl]

Checking in on this. Site is blocked still at VA, primarily due to the mismatch, partially for uncategorized content.

[timwood]

@bendygirl I think we identified wwwizer as the solution. Unless someone knows of some other option.

[timwood]

This issue was moved to Drupal4Gov/Drupal-GovCon-2016#21