I think I've got them all now. It seems my two-stepping test of earlier combined with some browser caching to give some failed successes.

When I corrected the .htaccess file, my one domain worked fine, and redirected to https://jekewa.com/ correctly.

After I changed the document root for my to-be-forwarded domains, they only worked if the URL had been cached by the browser, so when I started experimenting with the query strings, they weren't found in the cache and exposed the fact that I'd done something wrong. Based on the incorrect assumption that my previous work was still working, I started looking in the wrong places for the solution.

The real problem was that my new "empty folder" (intended to succeed in the event of a nested .htaccess file) didn't have a .htaccess file, and the RedirectRule in my Apache configuration was being ignored.

It turns out the very easy solution was to add a "RewriteEngine on" command within the VirtualHost body for the domains. Then those rewrite rules were executed if the .htaccess isn't found. So the combination of an empty folder (to avoid nested overwrites) and the correct configuration in the Apache file makes the rewrite rules work.

<VirtualHost *:80>
ServerName jkwarren.info
ServerAlias jkwarren.info *.jkwarren.info ...
RewriteEngine on
RewriteRule ^(.*) https://jekewa.com$1 [r=301,nc,ne]
</VirtualHost>

No extra, empty directory needed any more. No RewriteCond. Just, if you reach a vanity domain by HTTP, redirect to the HTTPS with the domain name that matches the certificate! I added the "ne" to the flags based on a post I found suggesting this will help keep query strings and path elements from being re-encoded as part of the redirect, although I've not yet witnessed it; it isn't breaking anything, and I can't affirm it's fixing anything, but I'm leaving it in anyway.

Now I just have one last bit to fix, which reqires me to comb through my HTML (or JSP or whatever) and find the explicit HTTP elements that don't work on the HTTPS pages (like Google Analytics) and either correct their explicit URL, make them optional (in the JSP), or take them away (in the HTML). Then I think I'll be pretty much done, and can start banging on this in the domains where it counts.

Oh, Comcast, I'm gonna be needing more IPs now that I have my SSL worked out, I've got some need to put this on some other domains...when's that IPv6 coming to my neighborhood, and what does that mean for my static addressing?