3

We're using setup with an nginx on one machine and (currently) one application server on apache in the back.

For multiple domains we got ssl certs, but only for the domain itself. So without subdomain www. Everything works as expected, we do not use the https://www.domain.tld anywhere. But we have customers who are typing this in by hand, resulting in a warning in the browser on the clientside. ..and a new seo guy insisting on working www subdomain WITH ssl.

What am i looking for: A creative solution which does not require new certificates for 20+ domains.

I already thought about getting certificates from let's encrypt for our www subdomain, then 301 to domain.tld.. but it's still in beta.

Any ideas ?

j.fiedler
  • 33
  • 3

2 Answers2

7

You cannot solve this without getting new SSL certificates. Redirection won't help, since the SSL certificate is getting checked before the actual HTTP session starts. ETA So you need new certificates, either wildcard ones or ones with Subject Alternate Names (SAN), which are valid for a list of DNS names instead of just one. EOE

If it had been possible to do the redirect without SSL certificate errors, that would make it possible to set up fake redirects for e.g. misspelled banking sites to a scammer - so the fact that you can't do this is expected and proper behaviour from a security standpoint.

Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • Upvoting, because it is correct, but I wanted to add that some certificate vendors - like GoDaddy - allow you to up to 4 SANs (Subject Alternative Names) at no extra cost. Switching to a wildcard certificate is a lot more expensive. Issue a new certificate with a CN of domain.tld, and add a SAN of www.domain.tld is your best solution. – KeyszerS Dec 30 '15 at 14:21
  • Thanks @KeyszerS - I edited the answer to include that info as well. There are vendors that allow a lot more than 4 SANs, as well, though usually not the cheaper vendors. – Jenny D Dec 30 '15 at 14:25
  • Thanks @JennyD for your input. We have a single certificate running with 19 SAN, but unfortunately there is a limit in SAN entries at most vendors. So it is with our current one. No more space for all the www. entries. – j.fiedler Jan 05 '16 at 07:54
  • @j.fiedler I understand the issue... In your case, I'd suggest getting a second certificate with 19 SAN, possibly setting it up on a second IP. Then you could have a single mod_rewrite config with redirect to the non-www hostname, that would work for all the 19 domains. – Jenny D Jan 05 '16 at 08:19
0

Problem: You have an issue-type CAA record indicating that example.com is the certified domain.

Solution: Add an issuewild-type CAA record with the exact same information as your other CAA record. This will match any sub-domain, www.example.com, www2.example.com, etc.

HoldOffHunger
  • 141
  • 5