I have ordered an SSL certificate which covers my root domain only and it can be successfully accessed through https://domain.com.
I have created a redirection from all requests from https://www.domain.com to the root domain.
However, when trying to access https://www.domain.com which was supposed to get redirected to https://domain.com the browser returns the following warning mentioning about a security risk of proceeding with the navigation:
This is probably not the site your are looking for!
You attempted to reach www.domain.com, but instead you actually reached a server identifying itself as domain.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.domain.com.
You should not proceed, especially if you have never seen this warning before for this site.
Is it somehow possible to redirect from www to the root domain using HTTPS without having to order another SSL certificate for www only for redirections?
PS: domain.com is just a placeholder to help illustrating the question.
Unfortunately SSL certificate negotiation happens before mod_rewrite rules come into effect. THerefore even before your 301 rule can redirect URIs to non-www domain, browser has already received certs for non-www while still on www domain. That is the point it shows that dreaded warning to visitor that cert is invalid.
You have 2 options:
(Recommended) Most of the certs these days allow you to use www with TLD, check with your provided if this is the option.
Go for wildcard certs (more expensive).
Related
I have a wildcard certificate for *.domainname.com. I know that TLS sessions are set up before any URL rewrite rules happen. I have the URL test.domainname.com working fine and redirecting to https. But what happens when someone may type in www.test.domainname.com. Now they get "Your connection is not private" because the www adds one more level and makes the wildcard certificate invalid. I would like to strip out the www with a rule but the SSL check happens first. How do people handle this so that all URLs end up at the same place with no errors?!? I am using Windows Server and IIS...
I'm using a shared hosting website to host the website and I have a SSL certificate. When I navigate to www.example.com, I don't see the padlock and it says the website is not secure, however, if I navigate to https://example.com or http://example.com, I see the padlock and it says the website is secure.
What am I meant to do to make it so that when a user types www.example.com to be sent to the https://example.com version? Do I have to forward the domain to https://example.com or do I have to fiddle with some htaccess settings?
Check Ben's answer here:
https://stackoverflow.com/a/1270281/7118098
This is an .htaccess edit, assuming you're using Apache on your host.
The problem is that you're manually accessing https:// so it works, but accessing http:// doesn't redirect you because it's not https:// enforced.
Almost all SSL certificates secure both versions of the website (www and non-www). But, I think your web hosting provider does not offer this feature. However, you can redirect your www domain to a secure domain (I mean non-www version).
I am facing a weird issue. I do not know if it is Nginx related or DNS related but here is the problem :
I have a domain that is fine, let's say foobar.com , SSL does not face any issue. Both www. and root domain work with HTTPS.
I have a second domain, let's say foobaz.net, I need to redirect it to foobar.com in every situations (both www. and root domains).
It does actually redirect, but when I try to access https://foobaz.net/ I get a HTTPS error/warning before being redirected to https://foobar.com/ after adding it the the SSL exceptions of Chrome (https://foobar.com/ SSL certificate is OK once I get past https://foobaz.net/ SSL warning).
I do not know if it is Nginx related or DNS related, any clue of what is happening here ?
Thanks in advance.
Any https connection checks the ssl certificate before proceeding to do what it needs to do in the server(in your case, a redirection). You may have a certificate for foobar.com, which is perfectly fine, but if you don't have a valid foobaz.com certificate. That's why the error shows up, foobaz is not "secure".
A https connection is secure if all the points between you and the endpoint are secure, not only the endpoint. If foobaz is not certified, that is a non-secure middle point on your connection, and that's why the warning happens.
Get a SSL certificate for foobaz too, and the whole connection will be secure.
I've been using Heroku to host and manage a website of mine that requires an SSL certificate. For the last year and a half I've been using ZerigoDNS to manage my domain and SSL redirecting (although, redirecting from non-https, non-www to https and www does not work).
I just got a notice from Heroku that they will be shutting down ZerigoDNS soon and they recommend switching to PointDNS. I couldn't find any information in the PointDNS documentation about managing SSL redirects.
Here's what I'm looking to do:
non-www non-https redirects to https and www
non-https redirects to https and www
https but non-www redirects to https and www
The reason everything needs to be forwarded to https and www is that's what the ssl cert was created for (the www is required. I don't have a wildcard certificate).
Does anyone familiar with PointDNS know how to to set up the records and redirects properly?
Thanks in advance!
Regarding non-www to www redirects, I just got that to work as follows:
First, you must add both www.your-domain.com and your-domain.com as custom domains.
heroku domains:add andrewpuglionesi.com
heroku domains:add www.andrewpuglionesi.com
I have a CNAME record with name www.my-domain.com.. The text in its data field is my-heroku-domain.herokuapp.com. I also have an alias record with the name my-domain.com., and I made its data field www.my-domain.com. In other words, the alias just points to the CNAME.
I don't know if this is well-advised, but it seems to work (and without sticking www in the user's URL, at that). It simply solves the problem where you can't access pages other than the index without having www there). I like how Heroku and PointDNS' documentation both say you can easily do redirects and then don't actually explain how to... I guess this is one way.
I've previously been able to force https protocol through the backend of a Django site. I can't remember the exact method I used, but you might be able to do it without the DNS stuff.
First, add both www.your-domain.com and your-domain.com as custom domains under settings or run below commands
heroku domains:add domainname.com
heroku domains:add www.domainname.com
For redirection, you need to do it via server, eg. if you are using apache you can achieve redirections via .htacess file.
Also, you can only redirect non-www to www with pointDNS redirect option
I have a Debian server which is running a number of client sites. Most of these are not running SSL so accessing by HTTP is fine.
I have one customer with an SSL certificate and accessing their site via HTTPS is fine too.
The problem comes if you try to access one of the other sites with HTTPS you get directed to the other site that has the SSL certificate.
For instance, lets say we have the following sites on the server:
alpha.net
bravo.net
charlie.net (SSL)
delta.net
So as you can see, charlie is the only one with SSL, and irrespective of if you go to http charlie.net or https charlie.net, it works fine.
http to all the other sites is fine, but if you were to go to https alpha.net, it will initially come up with an Invalid Certificate error and let you continue but whilst it has alpha.net in the address bar, its actually showing the charlie.net site in the browser.
I have researched SNI and how if any other sites have SSL I'll need to put them all on specific IP addresses (something else I need to try to work out how to do as I have no idea) but I am not sure why this is happening or how I resolve it.
Has anyone else encountered this before and how did you get around it?
Many thanks,
Rob
This does not have anything to do with SNI, as you currently only have one HTTPS server. What happens, as you've stated in your comment, is that the alpha.net domain resolves to your server's IP. Your Apache server is set up to listen for requests on port 443 on this IP, and to serve the contents of charlie.net to these requests. (And the certificate error means that the browser noticed the discrepancy between the certificate's alleged domain name and the domain name used for the request.)
Redirecting from HTTPS to HTTP is probably more trouble that it's worth, since you would need valid certificates for each domain, lest you present your users with another security warning. This would entail creating virtual hosts for alpha.net:443 and so on, on an SNI capable server (i.e., later versions of Apache 2.2+ with openssl), and adding a redirection like so:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
Probably the easiest course for your problem is to use a different IP for charlie.net. With this setup, there would be no way for alpha.net (and so on) to display the contents of another site.
If you have multiple IPs on your server, use a unique one for the SSL site, all non-SSL sites share another IP.
Since SSL doesn't care what is the domain you are visiting, it only cares if the current domain is approved from the list of domains(Common Name) it gets from the Ip address.