0

I have a problem with a site that I'm working on. There are a few sites located in the same environment. The server uses one SSL certificate that protects these domains like such: domain1.com, www.domain1.com and www.domain2.com.

The SSL certificate does not protect domain2.com without the www subdomain.

The problem is that (specifically on mobile) domain2.com is not being protected. If we visit www.domain2.com, it is protected.

Why are the following conditions not working on mobile to redirect the site to the www version before the warning is thrown that the site is not secure?

# Redirect Non-WWW to WWW
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.\*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

# Force SSL on entire site
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:HTTPS} !on [NC]
RewriteRule ^(.\*)$ https://%{HTTP_HOST}/$1 [R,L]

These are the first rules in the .htaccess file before WordPress is loaded.

Nathan
  • 1
  • 1
  • Maybe answered here: https://stackoverflow.com/questions/1100343/apache-redirect-from-non-www-to-www – Onki Hara May 18 '22 at 20:20
  • @OnkiHara, Unfortunately, this is some type of shared hosting environment and I don't have access to the Apache server config. Otherwise I would've done that. – Nathan May 18 '22 at 20:37
  • If you don't have the cert you can't resolve the request. The browser attempts the handshake then the mapping. Since the handshake cant occur you get the notice. Sounds like `domain2.com` is not a wildcard cert but domain1 has wildcard cert – user3783243 May 18 '22 at 20:37
  • `SSL certificate that protects` what does “protects” mean here? – AD7six May 18 '22 at 20:52
  • Here’s one solution, tha does not involve your shared host handling that at all https://community.cloudflare.com/t/redirecting-one-domain-to-another/81960 – AD7six May 18 '22 at 20:57
  • "specifically on mobile" - It should be _all_ modern browsers, both desktop _and_ mobile. Unless, you have at some point "accepted" an invalid cert on the desktop browser? – MrWhite May 18 '22 at 22:39

1 Answers1

1

Based on browser security settings including non-mobile, the warning is shown before http request is sent, to prevent exposing information over non-secure connection, that is the reason why modrewrite won't solve this, simply because it's not even invoked. You should include your "domain2.com" as alternative name in your SSL certificate.

Kazz
  • 1,030
  • 8
  • 16