10

I used to operate a website with an SSL certificate, but have stopped using the SSL certificate. The problem is that most of the external links to the website use the https:// prefix.

I have tried the https:// to http:// redirect in the .htaccess file:

RewriteEngine On

RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI}

But it seems, as has been pointed out elsewhere, that the server is trying to retrieve the certificate before activating the redirect. Hence, an error is shown before the redirect is ever accomplished. The error is either a warning that the certificate is expired, or if I delete the certificate signing request, then an error that SSL received a record that exceeded the maximum permissible length.

Is there any way to allow the incoming links to be redirected properly?

Eric Platon
  • 367
  • 2
  • 14
user981178
  • 445
  • 1
  • 3
  • 13
  • 1
    SSL is negotiated before any HTTP requests take place, as I think you have found out. I think you're going to have a problem getting this to work like you want, but I'm voting to migrate to ServerFault.com in case someone there has a better answer. – Michael Sep 16 '12 at 20:34
  • It does seem that this may be difficult achieve. It is a real bummer to lose the links built up around the internet, and worse, for visitors to think the site has been compromised or disappeared. –  Sep 16 '12 at 20:40
  • As the answers below have pointed out, you can't do the https -> http redirect without the correct cert. However, as the website owner, you can get a proper cert from somewhere like "let's encrypt". https://letsencrypt.org/getting-started/ – thebiggestlebowski May 04 '21 at 17:49

3 Answers3

19

The difference between http and https is that https requests are sent over an ssl-encrypted connection. The ssl-encrypted connection must be established between the browser and the server before the browser sends the http request.

Https requests are in fact http requests that are sent over an ssl encrypted connection. If the server rejects to establish an ssl encrypted connection then the browser will have no connection to send the request over. The browser and the server will have no way of talking to each other. The browser will not be able to send the url that it wants to access and the server will not be able to respond with a redirect to another url.

So this is not possible. If you want to respond to https links, then you need an ssl certificate.

sstendal
  • 306
  • 1
  • 3
5

No, if it were possible to redirect from https to http without a real certificate, it would be a major security flaw.

Consider a criminal somehow being able to make the bank secure server redirect to an insecure connection without needing a real https certificate for the site, it would allow the criminal to hijack the connection without the user knowing about it.

The only solution I can see is to get a cheap certificate and then do a normal redirect from the HTTPS site (which the user can't reach without a valid certificate) to the regular site for those external links.

Joachim Isaksson
  • 171
  • 4
  • Right, it is better this way. Too bad there is not some way to setup an approved override as the site owner. –  Sep 16 '12 at 20:47
-2

You should create in your .htaccess

ErrorDocument 500 http://anotherserer.com/errorPage.php
  • Thanks for the suggestion. Even with this in the .htaccess, it is not using the page I enter for the 500 error for this particular error. It seems that, perhaps, nothing in the .htaccess is being activated because of the initial error. –  Sep 16 '12 at 20:41