On 05/19/2010 02:02 PM, Zack Colgan wrote:
The problem you are running into is that SSL sessions are negotiated prior to the browser sending the virtual host name, so there is no opportunity to redirect the client to the www URL before it's too late. Aside from purchasing a second SSL certificate for the plain domain name or getting a wildcard certificate to cover both
Unless your HTTPD supports SNI, a second certificate alone isn't going to do you any good. AFAIK, under CentOS 5, there is only one solution to this problem: a certificate with multiple alt-names (or wildcard).
SNI should be a feature of RHEL 6. I believe that it's been available in Fedora since release 11.
There is a configuration where a second cert will work, but you'd need an additional IP. If you run "domainname.com" on one IP with a matching cert and "www.domainname.com" on a separate IP with its matching cert, users won't get errors. Two certs will usually cost more than one cert with an alt-name, but less than throwing away your old cert to get a new cert with both names.