I have just had my first go at adding a certificate to a site, initially it seems to be going OK.
But now I’m having trouble getting all the redirects to work.
I have it working going from http to https but the default domain is non-www and that’s where I’m seeing a problem.
Previously www.example.com would redirect fine to example.com but since adding the certificate and modifying redirects for that:-
http://example.com will redirect to https://example.com http://www.example.com will redirect to https://example.com
But https://www.example.com gives me an “Insecure Connection” page in Firefox.
www.example.com uses an invalid security certificate.
The certificate is only valid for example.com.
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Is it that the browser is detecting it’s the wrong domain for the certificate before htaccess is able to redirect?
I tried a few different things in htaccess and all (that I think should work) gave the same result.
The latest method I tried was:-
The security message comes up in Firefox, IE shows something similar. But I found that in Chrome the redirect works without a hitch forwarding the user to the secured canonical URL.
I guess that means that htaccess is OK and this is the browser jumping the gun to condemn the site before it redirects.
Yes, that is exactly what is going on. If your cert is only for example.com you can’t use it to redirect www.example.com because the browser will refuse to connect to www.example.com as the connection is not secure.
You’d either need to get a separate cert for www.example.com and install that as well (in a different VirtualHost, as you can only have one certificate per VirtualHost), or get a multidomain cert, i.e., one that covers both www and non-www.
I think I’m satisfied that the htaccess is what it should be. It looks like what needs to change is the certificate set up.
I think the warning pages will be more alarming to visitors than the absence of https was. The site does not strictly need it being primarily informational without dealing with sensitive data. It was just that a client mentioned it yesterday after one of his team had got in a flap about it after listening to some doom mongering, I think someone trying to sell them a certificate.
I have about a dozen sites all using Https and set each site by using the Certbot defaults
Beware, I painfully learnt that once a permanent 301 redirection has been requested, changing global routers is extremely difficult. It is far better to use the temporary 302 redirect until the htaccess is working correctly.
Beware, I painfully learnt that once a permanent 301 redirection has been requested, changing global routers is extremely difficult. It is far better to use the temporary 302 redirect until the htaccess is working correctly.
@John_Betong, what are you refering to as “global routers”? Pm me about the problem you had so we dont hijack the thread.
Redirect is not a DNS concern, DNS doesn’t speak or even know about the existence of HTTP (nor should it).
Persistent 301 redirects happen because the browser caches them. So if you ever visited URL A and got a 301 redirect to URL B, then the next time you request URL A in your browser it won’t even bother hitting A at all, but request B directly.
In the case of 302 it will request A again every time, because the redirect may have changed.
No I don’t have access. I only have cPanel and FTP access. TBH server config is not my thing, I can hack my way thorugh htaccess, but beyond that is unknown.
That’s looking like the easier option, I think it’s just a case of listing the domains when making the CSR. Would I need to remove the exisiting cetificate, or will it be replaced when I add a new one?