Nginx HTTPS 301 redirect to another TLD (hosted on same server) without showing SSL warning

Question

I own the domains

     example.com,  .com.au,  .net,  .net.au, ...  (8 in total).

I want all of these TLD's to 301 redirect to the secure .com domain

  https://www.example.com 

I have it working using Nginx for all HTTP requests but not all HTTPS .

I have installed a SSL certificate for https://www.example.com and this works for www and non-www without any security warnings (as expected).

When browsing to say http://example.net I get redirected to https://www.example.com without security warnings. However, when browsing to https://example.net I get the dreaded security warning.

Now I assume this is due to me only owning the .com SSL certificate and not for the other TLDs. Also, all sites are hosted on the same server/ip address, thus the .com certificate being returned for other TLDs.

DNS A records for all domains point to the single IP address of my Nginx server.

From what I have read and understood, I think I need an IP address and SSL certificate for each TLD I own. This seems like overkill for a simple redirect.

Is there any Nginx or DNS trickery I can use to avoid the standard security warnings for the OTHER (non .com TLD's) without having to fork out for more IP addresses and SSL certificates?

I thought I better ask the brains trust before I go ahead and purchase all the required certs etc.

Below is my Nginx config:

server {                  # redirect/catch all block
        listen 80;
        listen 443;
        server_name _ .example.com .example.com.au .example.net .example.net.au;
        return 301 https://www.example.com$request_uri;
}

server {
        listen   443 ssl default_server;        # Secure default server block
        server_name www.example.com;

        root /srv/www/example.com/public_html;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;           
        # ...   rest of config
}

Answer 1

From what I have read and understood, I think I need an IP address and SSL certificate for each TLD I own. This seems like overkill for a simple redirect.

The redirect is done at the HTTP layer. But in HTTPS the HTTP layer is encapsulated inside TLS. This means it must first successfully establish the TLS connection before it can do the redirect. Thus it needs a proper certificate for all the hostnames you access through HTTPS, even if you just do a redirect to another host.

Answer 2

I was able to successfully accomplish something very similar by setting the first redirecting server as default. Then the 2nd more-specific server handles all the traffic. Note the change to default_server and server_name . My certificate isn't assigned to IP addresses, only domain names, and the redirection occurs without an error in Chrome, but in Safari it pops up a warning in my tests visiting https://<the-ip> .

server {
# default for all, except other more-specific blocks
        listen 80 default_server;
        listen 443 ssl default_server;
        server_name _;

        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

        return 301 https://www.example.com$request_uri;
}

server {
        listen   443 ssl;
        server_name www.example.com;

        root /srv/www/example.com/public_html;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;           
        # ...   rest of config
}