I am working on a GoDaddy VPS (Apache, CentOS, cPanel). I have an SSL certificate valid for example.com but NOT www.example.com.
I want to use a .htaccess file to forward any requests to https://example.com/<pages>.
My code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.*)$ [NC]
RewriteRule ^(.*) https://example.com/$1 [L,R=301]
The problem:
All tested browsers (Chrome, Edge, Opera) work fine for all combinations of http, https, www, and specific pages. However, Firefox does NOT forward https://www.example.com (with or w/out pages).
I get a security warning stating that www.example.com is not on the cert.
I have tried numerous other code snippets but none seem to work.
Firefox may seem like the oddball, but actually it's the other browsers doing it "wrong" - to be forgiving with other peoples' server misconfiguration in favor of the user's convenience. (Also, it will look less odd once you realize that all three browsers you mentioned - Chrome, Edge, Opera - are forks of Chromium.)
If you look in the Chrome devtools, you'll see this:
Redirecting navigation www.example.com -> example.com because the server presented a certificate valid for example.com but not for www.example.com. To disable such redirects launch Chrome with the following flag: --disable-features=SSLCommonNameMismatchHandling
So, even though you didn't present a valid certificate for https://www.example.com, Chrome was nice enough to execute the redirect anyway, because you did present a certificate that was valid for the target domain of the redirect (example.com), even though technically the redirect response was returned over a connection that wasn't properly secured (with a certificate not matching the requested domain).
The solution would be to have a proper SSL certificate in the first place, including all the domains that you want your site to be reachable under, in that case probably just example.com and www.example.com. (Some certificate issuers will even include the www subdomain for free if you purchase a certificate for the naked domain.)
Related
I am trying to redirect my domain and sub domain to https. I have subscribed to Wildcard SSL and made below modifications to htaccess file, as per this guide.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I am now seeing HTTPS 'Secure Connection' on my main domain. But on sub-domain, it is still showing 'Not Secure' although HTTPS is in the domain.
What changes do I do here to redirect my subdomain as well to https 'Secure Connection'.
Looks like there is a problem with your cert installation or signing, that is why it shows "Not Secure".
You may want to try to check if the cert is correctly installed using some checker tool:
Example. https://cryptoreport.websecurity.symantec.com/checker/
Or check with your cert and hosting provider for assistance to see if it is your cert installation or signing problem.
You need to apply/check other .htaccess file(s) in your sub-domain(s) root directories. Example subdomain.yourmaindomain may be located at root/subdomain folder (need be checked - it's depended to your subdomain setting).
I have multiple sites on my host using Let's Encrypt and all of them have had no issues. Today I'm trying to install a certificate on joescottocpa.com. The certificate will install but when I visit the site it gives me a Your connection is not private error. When I inspect the certificate it says that it is valid.
I'm able to go to the actual HTTPS address with no issues. When I type just the domain joescottocpa.comin it will sometimes work without issues, sometimes give me the error, and other times just redirect me to my hosting providers homepage.
I am using an .htaccess file to redirect the page, the code on the file is the exact same that I've used for every other site that uses HTTPS. Any help at all would be great.
Thanks!
.htaccess:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://joescottocpa.com/$1 [R,L]
The issue was with my host. Something with their settings was off that they wouldn't tell me. Needless to say this host caused issues before so I decided to switch to a new host and the issue was no longer there.
I canceled my SSL certificate subscription but all my pages are indexed with https on search engines.
So I added a redirect to my .htaccess file
RewriteCond %{HTTPS} on
RewriteRule (.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
but I still can't go through the old https links without getting a warning:
The certificate for this website is invalid. You might be connecting to a website that is pretending to be www.flashmavi.com, which could put your confidential information at risk.
What am I doing wrong?
What am I doing wrong?
You still have SSL enabled but your certificate for the site is no longer valid. Thus browsers complain about the invalid certificate. The redirect will only be done inside the SSL connection, that is after the browser complained and the user explicitly ignored the warnings.
Your only ways are either to get a new certificate or to disable SSL completely so that browsers don't get a warning but simply fail and the search engine will update the index after a while. Note that you cannot disable SSL completely for a single host if there are other sites on the same IP address using SSL.
I have five hosted domains with a multi-domain SSL certificate. I cannot write an .htaccess condition that captures both http and https conditions for CNAME www.altdomain.com (a secondary domain). When a user types "https://altdomain.com" in the browser location bar, it shows "connection untrusted" and the URL remains as is. Typing the same with http correctly redirects to https://www.altdomain.com and when the https is omitted, "altdomain.com" is correctly redirected as well.
I am using joomla with a configuration that hides a subdirectory from the URL. The doc root .htaccess file contains this in the custom redirect section:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^altdomain\.com
RewriteRule ^(.*)$ https://www.altdomain.com$1 [R=301,L]
Activating a joomla SSL plugin while omitting custom redirect rules in .htaccess also works, but "https://" with "altdomain.com" fails to redirect in all cases. Perhaps I should have omitted www from the CNAME but there would be a redirect issue there as well if anyone types www in the URL, and I can't change the CNAME without purchasing a new SSL certificate. If there is no .htaccess solution to this problem as I suspect, please explain why.
The standard redirect between www and non-www URLs works only on the primary domain or for http connections. For secure / https connections on secondary domains, there must be an exact CNAME match on the SSL certificate - redirection to a host name that is not listed as a CNAME on the certificate will not work even if the domain name is the same.
If I want https connections to redirect from altdomain.com to www.altdomain.com and vice-versa on a multi-domain SSL certificate, I have to include both CNAMES in the certificate. A five-domain SSL certificate is therefore limited to three domains.
I have a site www.example.com for which i purchased SSL cert and installed.
And it was working fine, I also have a subdomain with app.example.com which was not on SSL.
Both www.example.com and app.example.com are on same IP address.
At later we decided to put SSL only on app.frostbox.com and then i configured SSL with app.frostbox.com and it worked fine,
Now the issue is that Google is indexing my site as https://www.example.com/ and when users hits the web , Invalid security warning is issued and when user allow security issue they are shown my app.example.com contents.
Note: I have my SSL configuration files in /etc/httpd/conf.d/ssl.conf
The contents of the ssl.conf are below.
http://pastebin.com/GCWhpQJq
NOTE: I tried solutions in .httaccess but none of those worked. Like redirecting 301 redirects etc
Purchase a SAN-multi domain certificate. Issue the certificate to www.abc.com and add the additional SAN www.app.abc.com in and it will work.
Hopefully you are within the 30 day cancellation policy.
you need to edit your httpd.conf file or the file where your virtual host is specified and add these lines to redirect http to https:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}