0

I bought a URL from GoDaddy that came with a free SSL certificate.

Installed it to Apache no problem (on CentOS) and it works great, until I try and set up a subdomain. The subdomains are pointing to the server it seems but they are hitting a HSTS error and being forced into HTTPS instead of allowing me to use HTTP until I get a wildcard certificate.

I cant find anything in my Apache config or .htaccess that is forcing SSL and another domain without SSL pointing at the same server and code base loads fine through both main url and sub domains.

Am I missing something very obvious to check in my configs or is it possible GoDaddy can force the traffic to be SSL protected before it even gets to me?

TomKDev
  • 11
  • 4
  • Did you consider to use letsencrypt to get free certificate? And without your apache config and `.htaccess` file we hardly can help you – Romeo Ninov Dec 05 '19 at 16:47

1 Answers1

1

HSTS headers force the user agent to use HTTPS for some length of time. And yes, the browser never attempts a HTTP connection, only HTTPS. You used a domain parking service, or some other web server that sent Strict-Transport-Security. Downgrading to HTTP is specifically what this does not allow.

Get TLS working correctly on your domain names. If you must use HTTP for a while, try a different browser. By design, HSTS is not easy to turn off.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34