0

My situation:

If I type https://www.agavepv.com or agavepv.com the site shows up as secure with the lock. However, if I type the address www.agavepv.com it shows up as not secure. What is wrong with my settings?

The Facts:

  1. I have the agavepv.com domain registered on GoDaddy.com
  2. I am hosting my site on Heroku
  3. I have paid hobby dynos which allows me to use ACM for my SSL Certificates
  4. I change my DNS settings on GoDaddy and added a CNAME record, the host is www and it points to immense-mullberry-lq60rwg6xrhb0odbnaw2idyi.herokudns.com
  5. I was on with Heroku support regarding my root domain and this is what I was told: For your root domain agavepv.com you need to point to the DNS target damp-mayflower-pdp4pxd06oq94i5rojwp1rzy.herokudns.com using ALIAS/ANAME record. Although GoDaddy does not support ALIAS/ANAME so you may need to use URL redirects/forwarding for your root domain.
  6. My domain forwarding settings are as follows: Click to see GoDaddy Domain Forwarding Settings for agavepv.com domain
  7. My Heroku custom domains are setup like this.
  8. When I check my certs in the command line using heroku certs:info i see this.
  9. When I run curl -vI https://www.agavepv.com I see this.

Currently, when I type in https://www.agavepv.com OR agavepv.com into the browser, my site shows up as secure. However, if I type www.agavepv.com the browser indicates the site is not secure. How do I change my settings so that all three scenarios indicate they are secure and show the lock?

Second, would it be worth it to pay for a domain transfer to another registrar that does allow for ALIAS/ANAME records?

I am very new to this subject so I apologize if what I am missing is very obvious! Someone please help, this has taken up so many hours!

Alexander
  • 1
  • 1
  • You probably don’t redirect from insecure plain http to https - modify your server/site configuration to do that for you – Bob Jan 22 '20 at 20:26
  • @HermanB thank you. As mentioned, I am kind of a noob in this department so can you please add more color to your statement? How would I go by doing that? – Alexander Jan 22 '20 at 20:29
  • `HTTP` redirects are sent by the web server. The main question is: what web server configuration do you have access to? – Piotr P. Karwasz Jan 22 '20 at 21:10
  • @PiotrP.Karwasz [This](https://github.com/TheGreekCuban/agavepv/blob/master/server.js) is the repo link to my `server.js` file. I just now added the `sslRedirect package` but still does not show up as secure when I type `www.agavepv.com.` You can see the `npm` docs for that package [here](https://www.npmjs.com/package/heroku-ssl-redirect). – Alexander Jan 22 '20 at 21:43
  • Yes, the module is [5 lines of code](https://github.com/nodenica/node-heroku-ssl-redirect/blob/bd081b53fb769f2b8dc214901bd039e6fb581e09/index.js) altogether. It should work if you are in `production` mode, maybe it takes time to redeploy. Otherwise write a handler that will dump all the `HTTP` headers that the [Heroku proxy server](https://ninenines.eu/) sends you. Maybe they don't send `X-Forwarded-Proto` any more. – Piotr P. Karwasz Jan 22 '20 at 22:01

0 Answers0