Why does your first rule redirect to http://two instead of https://two?

Jim

That's a good question. Actually this is a pretty simplified version of the problem. There are actually 5 domains resolving to this host ip and not all of them need encryption all the time. The issue is this: when I want a secure connection, I want to be able to do a rewrite to the domain that i have the cert for. This works, but I still get the domain mismatch error that I want to avoid. I have this same problem whether my first rewrite is for https or http.

I guess the browser is caching the domain of the original request, and seeing that the cert is for a different domain, even though the original domain (one.com) is not what the server is sending back (two.com).

The only way I've found around this is to re-initiate a request to the right place from the browser like so (kind of dumb, but I can't find any other way):

RewriteCond %{HTTP_HOST} one\.com [NC]
RewriteCond $1!rewrite_domain
RewriteRule ^(.*) [one.com...] [R,L]

--code for rewrite_domain.php--

<meta http-equiv="REFRESH" content="0;url=https://two.org/<?=$_GET['path']?>">

Someone please tell me theres a better way : (

Well, back to first principles, why are requests for the "wrong domain" happening? Are there incorrect links you can change on your site?

The cert is checked before any rewrites or redirects, which is why you're getting the error. So the only way to avoid it is to make sure all inbound links are correct.

Jim

In this case there are actually about 6 different sites that are essentially different "projects" of the same non-profit, that for legacy reasons (before my time) all had different registrars, different hosts, and different domains.

What I'm doing is consolidating all sites onto one host (shared), registrar, and domain. So what used to be:

old_one.com
old_two.com
...
old_six.com

Will be:

new.com/one/
new.com/two/
...
new.com/six/

This is advantageous for many reasons for us, among them the ability to use ssl for one domain, now that we are doing user authentication , and sharing HIPAA protected information. We want to keep the old domains for a time keep traffic proper.

So I'm doing rewrites for the old urls to get to the right place, but I've got this domain mismatch snag. In this field (medical) people don't even want to touch a possible HIPAA violation, so it's a problem. I've found a bid of a cludgy solution as stated above, but am not thrilled with it.

This probably makes sense, but I'll sticky you some info that will let you see it in action (or disaction : )

I'd suggest redirecting the alternate domains to a non-secure page explaining the change, and then let them enter the secure site from there. Depending on the scale of your operation, the explanatory page could contain a phone number that they could call to confirm that the change is legit.

When you use SSL, you're just not at liberty to change domains or protocols -- It's all part of keeping things secure, and you just have to live with it. If this is an HIPAA site and the above approach won't work, then I'd suggest getting proper certs for all of the domains, and just leaving it alone until you can introduce the changeover and get most users to move over (update their bookmarks, etc.) to the new single domain.

Jim