0

I hope this is not a duplicated question, but i can't find the answer to my question. I'm already using an http to https htaccess redirect, which is as follows:

RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

This resolves almost any case, except this one: if i call this URL:

https://domain.com

The result is a page with an invalid certificate issue, which is correct because i only have bought certificates for domains with the "www".

My question is: is there a way to create an htaccess redirect from https://domain.com to https with "www"? Or the only solution is buying certificates also for non-www domains?

As an additional note, i specify that we are running a multi-domain website.

Thank you!

Jonotespere
  • 23
  • 1
  • 4
  • `${SERVER_NAME}` is set in your .conf file, and you probably have it as `ServerName domain.com`. Change it to `www.domain.com`, or at least redirect to that address, e.g. `RewriteRule ....//www.%{SERVER_NAME}...`. And consider a wildcard certificate if you want to use multiple subdomains for your main domain. depending on your registrar, one wildcard can be cheaper than multiple `foo.domain`, `bar.domain` etc... individual certs – Marc B Jan 14 '16 at 14:25

1 Answers1

1

Changing your configuration to add the redirect https://example.com => https://www.example.com will not fully solve your problem :

The browser will connect to https://example.com and show the certificate error before getting the redirect information.

You must create a certificate (buy or use let's encrypt for example) for the non-www domain.

Tom
  • 4,666
  • 2
  • 29
  • 48
  • Thank you @Tom for clearing this out. I was wondering if it wasn't a problem of "correct coding" but the problem you identified. – Jonotespere Jan 14 '16 at 14:47
  • In your opinion, beside buying non-www certificates, is there another possible solution? – Jonotespere Jan 14 '16 at 14:50
  • @Jonotespere Having a valid certificate for the main domain is generally a good idea in case your visitors type the domain manually, and it allows you to use HSTS+preload, which is a huge step in term of security. – Tom Jan 14 '16 at 14:56