0

My web server is in the cloud, a VPS on Vultr. I have added the following lines to my apache.conf file:

    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www\.(.*)
    RewriteRule ^.*$ https://%1/$1 [R=301,L]
    RewriteCond %{HTTPS} off [OR]
    RewriteCond %{HTTP_HOST} ^www\. [NC]
    RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
    RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

These lines will redirect an http://www.example.com or an http://example.com to an https://example.com. It works very well. I do not use htaccess files.

I always try to think how a user could mess things up and in this case, I think they could enter https://www.example.com. And sure enough, it messes things up.

I want to add that I only have a LetsEncrypt certificate for the example.com domain. I do not have one for the www.example.com subdomain, like many others add to their server.

In the sites available file for the domain /etc/apache2/sites-available/example.com.conf I have:

<VirtualHost  example.com:80>
   ServerAdmin admin@example.com
   ServerName  example.com
   ServerAlias  example.com
   # above line eliminates www.example.com
   DocumentRoot /var/www/example.com
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

I do not use a VirtualHost file for the 443 port.

I have read other stackoverflow comments and questions about the issue of https://www.example.com. I reference a near identical request that does not eliminate my problem, but maybe they have a certificate for the www subdomain, allowing the proposed solution there to work. Best Practice: 301 Redirect HTTP to HTTPS (Standard Domain)

My assumption is that possibly:

  1. My apache.conf code has an error.
  2. I need an additional certificate for the www subdomain.
  3. Some other solution.

What is the best way to proceed here? Or do others just ignore this since it will be overshadowed by the browser screaming about how unsafe the site is?

  • Just add that www domain to your existing let's encrypt certificate. You can do that yourself, typically. – arkascha May 15 '22 at 06:11
  • I'm thinking I cannot get away with just the TLD in the certificate. It's easy to add the www subdomain, but that doubles the certificates on the website. And one certificate is so clean! I was hoping there was some "trickery" I could place in the apache.conf file to eliminate the issue without adding a certificate for www. –  May 15 '22 at 20:42
  • No, you always have only one certificate. But that one contains multiple host names it is valid for. – arkascha May 15 '22 at 20:50

2 Answers2

0

I need an additional certificate for the www subdomain.

If you want to access the site by https://www.example.com then you need a certificate exactly for this exact domain, i.e. www.example.com and not just example.com. There is no way around this since any redirects can only be issued by the server once the TLS connection is established, i.e. after the certificate validation.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • That is true from a technical view, _but_ one should also mention that this does _not_ mean a new or separate certificate. Instead one can simply _add_ domains to an existing Let's encrypt certificate oneself. A question of a few minutes. – arkascha May 15 '22 at 06:10
  • 1
    @arkascha: One cannot change an existing certificate because this would invalidate the signature on the certificate. One can only let the CA issue a new certificate which then contains all the necessary domains - or let the CA issue a new certificate only for this new domain and adapt the server config to use this. – Steffen Ullrich May 15 '22 at 07:08
  • While that is again technically correct it sounds more complicated than it actually is. From the users point of view (the administrator), the process is an update of the certificate created before. Sure, technically a new certificate is created and installed. But the point is that the previous information is used again for that update process. So the whole process is a simple command, more or less. – arkascha May 15 '22 at 16:17
  • @arkascha: My comment was only about the technical accuracy, not how it feels :) – Steffen Ullrich May 15 '22 at 17:36
  • Steffen, the point is I do NOT want to access the site via www.example.com - I want to force the server to reroute to example.com, and as a secure connection. –  May 15 '22 at 20:24
  • @JimTippins That is ot true, actually. You _do_ want to access the server via the name "www.example.com". That request you want to redirect is a normal https request. It has to be handled like any other request. For that it needs to be received and the encryption needs to get established and validated first. It is a normal communication, even if you "only" want to redirect. There is no way around having a valid certificate for that name. – arkascha May 15 '22 at 20:53
  • Arkascha, but I don't want to access my server via www.example.com. Maybe we are misunderstanding each other? –  May 15 '22 at 20:59
  • @JimTippins: if you don't want to access the site via www.example.com, then why do you explicitly try this: *"I think they could enter `https://www.example.com`. And sure enough, it messes things up."*. Either you accept that this messes things up (since you don't want to use www.example.com anyway) or you make sure that it does not mess up things - in which case you need to have it in your certificate. – Steffen Ullrich May 15 '22 at 21:28
  • @JimTippins It is not just people _typing_ "www....." into the address bar. Some browsers actually try the "www" host automatically and prefer it (why ever). So it actually does make sense to handle both variants, with and without www. You need a valid certificate for both, though, no way aound that. I fail to understand why you don't want to do that, though. It is easy to do, it is free of costs, you just have to do it. – arkascha May 18 '22 at 14:25
0

After much research, I have decided to go back to the https://www.example.com approach. There are several reasons.

Most websites would not notice the difference between using www and not using it. Large websites would, since they would need additional subdomains to be able to properly utilize cookies.

The other issue is the CNAME in the DNS settings. It is consdiered best practice to not use a bare domain with the CNAME. For example, Namecheap doesn't allow it. You must use the www subdomain with the CNAME entry.

Another concern is email. I don't know all of the details but email can get messed up by not using the www subdomain.

Some browsers actually remove the www from the URL even though it is there when they display the address. And some talk exists of a future where the www will be removed entirely.

But as of today, there is a consensus that the DNS system would have to be changed at a very basic level to accomodate no www in the address.

These things make me wary of staying with a non-www address domain URL. For now, I will return to the old school https://www.example.com.

  • "... but email can get messed up by not using the www subdomain." - That is complete nonsense. Sounds more like a wrong setup, that's all. – arkascha May 18 '22 at 14:26
  • It very well is possible to use CNAME entries with arbitrary host names. If a single provider tries to be smart and keep yu from doing that, then maybe you want to switch provider? – arkascha May 18 '22 at 14:27
  • " ... And some talk exists of a future where the www will be removed entirely." No, sorry, that is not how things work. There is no one how decides what host name you are allowed to use. That is up to you. Sure, some common practice might get established through tutorials and the like. But from a technical point of view all variants are open to you. – arkascha May 18 '22 at 14:29
  • "But as of today, there is a consensus that the DNS system would have to be changed at a very basic level to accomodate no www in the address." Absolutely not. There is no such limitation. Many site are operated in exactly that way. Mine is. – arkascha May 18 '22 at 14:30
  • It is however perfectly fine though to ue a "www" host name if you prefer it. For example because it causes less trouble for you. Don't blame that on imagined technical limitation, though ;-) – arkascha May 18 '22 at 14:31