1

I'm trying to prepare for the upcoming Chrome "Non Secure display" v56 release.

I run a website service: example.com

I give each customer a sub domain off the service: cust1.example.com, cust2.example.com, etc.

Years ago I configured the service to accept www.cust1.example.com, www.cust2.example.com, etc. Primarily because customers always added the "www" to the front of everything. I wanted to make sure they got their site and not an "invalid domain" message.

I purchased a wildcard SSL certificate *.example.com to cover customer sites. Obviously this does not work for www.cust1.example.com, etc. Most of my customers have not used HTTPS so this has not been a problem.

With the modern browsers forcing https now it is becoming a problem.

I have tried using mod_rewrite to fix the problem.

RewriteCond %{HTTP_HOST} ^www\.([^\.]+)\.example\.com$ [NC]
RewriteCond %{SERVER_PORT} =443
RewriteRule ^(.*)$ https://%1.example.com/$1 [R=302,E=nocache:1,L]

Note: I'm using 302 while I test a solution so I don't accidentally push a redirect into the browser's cache and can never change it again.

The problem is when you start with HTTPS in the browser, the redirect provided back from the server still triggers the ERR_CERT_COMMON_NAME_INVALID error before it can redirect to remove the "www" and get to a page with a valid certificate.

How can I remove the "www" prefix on HTTPS traffic without triggering the browser's Not Secure response?

MrWhite
  • 12,647
  • 4
  • 29
  • 41
Mike K
  • 11
  • 1
  • 1
    You get more certificates. – Michael Hampton Jan 24 '17 at 23:03
  • 1
    "the redirect provided back from the server still triggers..." - You get the browser warning during the initial SSL handshake, long before any "redirect" response from the server. – MrWhite Jan 24 '17 at 23:17
  • I can't get more certificates. I have thousands of customers. I can't get a certificate for each just to handle "www" – Mike K Jan 25 '17 at 01:10
  • Then you are in bad shape. You must have a valid certificate for the `www.` domain in order to do the redirect, that is simply the way SSL works and there is no way around it. – Tero Kilkanen Jan 25 '17 at 04:37

1 Answers1

0

This will redirect www.example.com to https://example.com

RewriteEngine On
RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^www\.
RewriteRule ^(.*)$ https://example.com/$1 [R,QSA,L]
Mahesh Gareja
  • 101
  • 2
  • Thank you. I've got the redirect part already. The problem with the redirect, as noted in the original question, is the SSL piece. How do you avoid the SSL warning while doing the redirect? – Mike K Jan 25 '17 at 14:15