SSL and Redirects

ssl

#1

I have just had my first go at adding a certificate to a site, initially it seems to be going OK.
But now I’m having trouble getting all the redirects to work.
I have it working going from http to https but the default domain is non-www and that’s where I’m seeing a problem.
Previously www.example.com would redirect fine to example.com but since adding the certificate and modifying redirects for that:-

http://example.com will redirect to https://example.com :+1:
http://www.example.com will redirect to https://example.com :+1:
But https://www.example.com gives me an “Insecure Connection” page in Firefox. :-1:

www.example.com uses an invalid security certificate.
The certificate is only valid for example.com.
Error code: SSL_ERROR_BAD_CERT_DOMAIN

Is it that the browser is detecting it’s the wrong domain for the certificate before htaccess is able to redirect?

I tried a few different things in htaccess and all (that I think should work) gave the same result.
The latest method I tried was:-

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

The security message comes up in Firefox, IE shows something similar. But I found that in Chrome the redirect works without a hitch forwarding the user to the secured canonical URL.
I guess that means that htaccess is OK and this is the browser jumping the gun to condemn the site before it redirects.


#2

I had a problem last year as cpanel automatically added an SSL certificate to my site. The thread is here and may be of some help: Https versions of my site whats the next move?


#3

Yes, that is exactly what is going on. If your cert is only for example.com you can’t use it to redirect www.example.com because the browser will refuse to connect to www.example.com as the connection is not secure.

You’d either need to get a separate cert for www.example.com and install that as well (in a different VirtualHost, as you can only have one certificate per VirtualHost), or get a multidomain cert, i.e., one that covers both www and non-www.


#4

I think I’m satisfied that the htaccess is what it should be. It looks like what needs to change is the certificate set up.
I think the warning pages will be more alarming to visitors than the absence of https was. The site does not strictly need it being primarily informational without dealing with sensitive data. It was just that a client mentioned it yesterday after one of his team had got in a flap about it after listening to some doom mongering, I think someone trying to sell them a certificate.


#5

I initially struggled with using LetsEncrypt Free Ssl version so much so I created a free website URL checker:

https://supiet2.tk

I have about a dozen sites all using Https and set each site by using the Certbot defaults

Beware, I painfully learnt that once a permanent 301 redirection has been requested, changing global routers is extremely difficult. It is far better to use the temporary 302 redirect until the htaccess is working correctly.


#6

@SamA74, why are you doing all the redirecting in .htaccess? Do you not have access to the servers virtual host config files?

Just throwing it out there… I use https://www.sslforfree.com/ and have no problems with it.

Beware, I painfully learnt that once a permanent 301 redirection has been requested, changing global routers is extremely difficult. It is far better to use the temporary 302 redirect until the htaccess is working correctly.

@John_Betong, what are you refering to as “global routers”? Pm me about the problem you had so we dont hijack the thread.


#7

[off topic]
Rather than “hijack the thread” I think it would be best to make an “Off topic” comment.

There are many Global Router DNS Checkers whch I believe () but could be wrong) that it is not easy to change a permanent 301 redirect:

[/off topic]


#8

Redirect is not a DNS concern, DNS doesn’t speak or even know about the existence of HTTP (nor should it).

Persistent 301 redirects happen because the browser caches them. So if you ever visited URL A and got a 301 redirect to URL B, then the next time you request URL A in your browser it won’t even bother hitting A at all, but request B directly.
In the case of 302 it will request A again every time, because the redirect may have changed.


#10

No I don’t have access. I only have cPanel and FTP access. TBH server config is not my thing, I can hack my way thorugh htaccess, but beyond that is unknown.

That’s looking like the easier option, I think it’s just a case of listing the domains when making the CSR. Would I need to remove the exisiting cetificate, or will it be replaced when I add a new one?


#11

That is what you need to do. You will need to replace/delete the existing cert then restart the server.


#12

I checked and was most surprised that it is the browsers that are very reluctant to release the redirection.

I was confused by the numerous 301 permanent redirection problems when i Googled for answers.

It appears that most solutions recommend using the temporary 302 redirect until the htaccess is working correctly.


#13

Here is my way, I hope it will be helpful.

# removes www for HTTP 
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

# removes www for HTTPS
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

# forces HTTPS
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

#14

The redirect I used worked fine, the issue was the certificate not covering both versions of the domain.