2

I am not much familiar with server configurations, please help me on this issue:

I have a Debian8 server and a SSL certificate, the SSL certificate only for My non-www domain so I would like to redirect all of www request into non-www, by below htaccess code its working for some browsers but not working for some other

On Chrome: Successfully redirecting http://www.example.com or http://example.com request into https://example.com this is what I want for all browsers.

On Mozilla: Redirecting http://www.example.com request into https://www.example.com and stopped working with INSECURE CONNECTION error. I think from here browser checking first for SSL certificate of www and stop before non-www redirect.

Following is my .htaccess to redirect www to non www with https, is anything I missed on .htaccess? or any other solution through DNS or with help of apache default ssl.conf.

RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

My SSL certificate is Certbot and I followed this tutorial to install https://www.youtube.com/watch?v=-TPoGQ4IjDI&t=100s you could see there is only one domain prompting that is non-www, no option for setting SSL certificate for www. If I could get a SSL certificate for www then also I can solve the issue.

MrWhite
  • 11,643
  • 4
  • 25
  • 40
Riyas Muhammed
  • 123
  • 1
  • 4

3 Answers3

3

its working for some browsers but not working for some other

It shouldn't be "working" for any browser, unless you have perhaps previously accepted the invalid certificate? You will get the invalid certificate browser warning before your site receives the request. The SSL handshake is the very first thing that occurs during the request to ensure the connection is secure, it's not possible to implement a redirect (or anything) before this occurs.

The only way to resolve your problem is to implement a SSL cert that covers the www subdomain.

MrWhite
  • 11,643
  • 4
  • 25
  • 40
  • but its totally working fine in Chrome, anyway like you said, let me think about new certificate that covers the www also... – Riyas Muhammed Jul 03 '17 at 09:23
  • here is a free ssl certificate that provide free ssl for www and non-ww , but I don't know how to install this in a Debian8 server. – Riyas Muhammed Jul 03 '17 at 09:27
  • sorry link missed https://www.sslforfree.com/ – Riyas Muhammed Jul 03 '17 at 09:56
  • 2
    You would expect to see a browser cert warning when trying to access `https://www.example.com` (ie. HTTPS and www) since the cert does not cover www. This is what I assume you must be requesting (or you have enabled HSTS)? In this situation, a cert that covers www is required. (Most basic certs do cover both the apex domain and www subdomain these days.) However, on re-reading your question, you would not normally expect a request for `http://www.example.com` to result in an INSECURE CONNECTION error (unless you had enabled HSTS - in which case the _browser_ auto upgrades the connection)? – MrWhite Jul 03 '17 at 10:05
  • how to enable HSTS ? I am not much familiar, please suggest me – Riyas Muhammed Jul 03 '17 at 10:08
  • 1
    When the user accesses `https://...` you can send back a `Strict-Transport-Security: max-age=NNNN` HTTP response header. From now on (until it expires) the _browser_ will always send requests to HTTPS, even if the user types HTTP. You should consider this a one-way process - there is no way to go back to HTTP (before it expires), once HSTS has been enabled. – MrWhite Jul 03 '17 at 11:00
  • thanks for your answer, also you know how to install a SSL certificate on Debian8 I have following files **ca_bundle.crt**, **certificate.crt** and **private.key** – Riyas Muhammed Jul 03 '17 at 11:21
  • Unfortunately, that's another (and probably too broad) question. Not something that can be stated in comments. – MrWhite Jul 03 '17 at 23:27
  • I had this same problem and the solution was to update the certificate. I guess Chrome has a cache, or automatically tries other URLs (??) so it 'appears' to work. But the real solution is updating the SSL certificate. – arod Sep 18 '17 at 18:37
0

This should be a comment, but its a bit long.

I think from here browser checking first for SSL certificate of www and stop before non-www redirect.

Why do you think that?

Did you look at your logs to see what was actually being requested?

The most likely reason for this behaviour is that your Firefox browser is unable to verify the certificate - but you checked the specific error message and decided it wasn't relevant to the discussion here so you didn't tell us what it is. And you tried pointing firefox directly at https://example.com and did not get the same error.

Or did you?

symcbean
  • 19,931
  • 1
  • 29
  • 49
0

it Worked for me!
Basically in the term of SSL http://www.example.com and http://example.com are Different domains. you need to reissue certificate and add http://example.com as primary domain and add other domain http://www.example.com

https://www.namecheap.com/support/knowledgebase/article.aspx/811/70/how-do-i-reissue-my-ssl-certificate

Hamid
  • 1