I have a on_demand tls setup and its working wonderful. However I am looking how to setup a redirect or custom error page in case the on_demand tls is denied… ie. the request for the domain name is denied.
It’s impossible to write an HTTP response on a TLS handshake error. The client doesn’t trust the connection because the server doesn’t have a trusted certificate to encrypt the connection.
That’s a very bad idea. You’d open yourself up to denial of service attacks by someone who points their own wildcard subdomain to your server’s IP and makes infinite requests each with a different domain; it would force your server to try to issue a cert for each of those domains, until you hit rate limits or run out of disk space.