1

I am trying to get my domain to always redirect to a non-www version and always use https. I found this answer, but it only kind of works.

It works if I try any of the following:

http://domain.com (This will redirect properly to https://domain.com)
http://www.domain.com (This will redirect properly to https://domain.com)
https://domain.com (This does nothing as it is already correct)

However, if I type https://www.domain.com then I get an error that the domain isn't secure and it doesn't redirect.

Here is my .htaccess rules:

############ START [ENABLE REWRITE ENGINE] ############
RewriteEngine On
RewriteBase /
############  END [ENABLE REWRITE ENGINE]  ############

############ START [FORCE NON-WWW AND HTTPS] ############
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule .* https://%1%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule .* https://%1%{REQUEST_URI} [R=301,L]
############  END [FORCE NON-WWW AND HTTPS]  ############

I know one option would be to just buy an SSL for the www. version of the domain, but I would prefer to save the money if possible.

Community
  • 1
  • 1
tvirelli
  • 458
  • 7
  • 22
  • 1
    most ssl certs (even the $5 positive/rapidssl ones) will work for both domainname and www.domainame (they include it as a Subject Alternative name). but the error you get for it not being secure is that due to the cert failing? if your cert doesn't cover https://www there will be no way to redirect it, since the https negotiation takes place at connection time. before any requests are made / redirection can happen – Doon Sep 21 '15 at 16:55
  • Well, not the answer I was hoping for, but thank you! If you put this as an answer, I will accept it. – tvirelli Sep 21 '15 at 17:23
  • Whenever you buy a Cert rule of thumb is to buy for the subdomain, `www.domain.com` then you automatically get `domain.com` included almost always from most CA's. However doing just `domain.com` doesn't always give you `www.domain.com`. The one's that don't do it are just greedy and want you to buy 2. Don't use them. `ssls.com` is very cheap for a regular cert. – Panama Jack Sep 21 '15 at 17:26

1 Answers1

3

As HTTPS negotiation happens before any request is made, you cannot redirect to the correct hostname on certificate name mismatch. You can get cheap SSL certs that do have both www and the domain as Subject Alternative names.

Doon
  • 19,719
  • 3
  • 40
  • 44