Multi-Site: Can we redirect example.com to SSL www.example.com

Multi-Sites are showing in-secure page if the end user types: example.com instead of http://www.example.com. Is there a way to force a redirect. I tried with .htaccess, but was unsuccessful.

    • forthgear
      • The Incredible Code Injector

      We are using subdomain directories for our users, unless they want to map their own domain over. We give them they option to purchase a SSL. The problem we are faced with is we would map the domain.com & http://www.domain.com to the SSL; however, we have used up all of our 100 SSLs with Let's Encrypt. With that said, we made a decision to eliminate one of the domain.com SSLs to cut the SSLs in half. We took out the domain.com; however, if the end user that types in the domain types: domain.com; Firefox and Safari precent that warning that you are on a un-secure page. I have tried using .htaccess to force a redirect, but was unsuccessful. I was wonder if you guys know of a work-around to force the http://www.domain.com redirect? I hope all that makes sense. Oh, here is one of the sites on the multisite: healthynycvending.com

  • mbitcon
    • Problem solver

    If I am not mistaken, Letsencrypt now also has a way to get wildcard SSL certificates - maybe that would solve your problem? You will need a valid certificate for domain.com as the redirect will always take place after connecting to domain.com and asking for the page content, when this is requested over an encrypted connection, it has to be a valid certificate in order to be trusted by the browser...
    You can also add another server config pointing to the same web root, then you can use up another 100 domains in a second certificate...

  • forthgear
    • The Incredible Code Injector

    Thank you for your response. Will you please explain or give us an example of the last sentence in your response?: add another server config pointing to the same web root, then you can use up another 100 domains in a second certificate...

  • Adam Czajczyk
    • Support Gorilla

    Hi forthgear

    Please note: you've posted on a Support Forum but the response above is from WPMU DEV Member, not the support person. You can easily differentiate that by looking for a small "Staff" label in the top-right corner of the post. I'm saying that only to make sure that you're aware of which response is coming from whom :slight_smile:

    As for the issue itself. I've just visited the site that you shared as example: healthynycvending.com. I tried visiting it in Chrome and Firefox using these addresses:

    healthynycvending.com
    http://www.healthynycvending.com
    http://healthynycvending.com
    http://www.healthynycvending.com
    https://healthynycvending.com
    https://www.healthynycvending.com

    and in all cases I was taken to (redirected when required) https://www.healthynycvending.com, properly protected by valid SSL certificate. That confirms that protection works there so am I missing something or did you manage to sort that out meanwhile?

    Best regards,
    Adam

    • forthgear
      • The Incredible Code Injector

      Hi Adam,

      Thank you for your response. We took that SSL healthynycvending.com off for testing purposes; however, the owner of the site saw that it was getting the not secured warning and we had to put it back. We are maxed out with SSLs now until we can figure out how to redirect a non-www to www.

      We have taken the option off for our clients until we get this resolved.

      Any help on this would be much appreciated.

  • mbitcon
    • Problem solver

    Hi forthgear

    What kind of hosting are you on? do you have ssh access to the server can control the apache or nginx config files? If so, you can just set up another virtual host config in apache or nginx which can use a new certificate.If you request a new certificate and use that with the the next virtual host entry (which can point to the same web root or redirect to any site you want) then there is no problem in using more than a 100 DNS names with let's encrypt - btw that is also what I do on my own server...

    Adam Czajczyk : If you take a close look at his certificate, you see that he is using one certificate with a lot of alternative names, Let's Encrypt allows for 100 alternative names in one certificate, so you can use the same certificate for up to 100 sites, no matter whether you redirect them to one site or those are independent sites just using the same certificate...

    The 100 names quota is a per certificate limit, not a total limit as you can issue quite a few certificates per week. If you have a look at the docs page at lets encrypt (https://letsencrypt.org/docs/rate-limits/) you see that you could issue certificates for up 5000 subdomains per week. So I guess there is still plenty of room for you :wink:

    Mike

  • Antoine
    • WPMU DEV Initiate

    Maybe I missunderstand your issue but I believe the best way to deal with this would be to deal with your DNS directly. Problem with htaccess and any redirection is that browsers will have *first* to reach your (unsecured) domain and whatever you try afterwards, if you https:// a non SSL domain, browsers will halt and warn.
    Also, in your choice of cutting volume in half (I can get it), I think you'd better unsecure the subdomain www.domain.com than the root domain.com.

    In short and FWIW,
    1. I'll keep the root domain as the secured one
    2. I'll set a CNAME entry in DNS as in www -> domain.com

    Details may vary depending of your configuration, but I believe you should definitely consider the DNS track.
    BR.
    A.

  • mbitcon
    • Problem solver

    Hi Antoine

    The DNS settings are only the first step. Forthgear is right in wanting to have a valid certificate for every version of his domains. If any version, no matter whether the www or the non-www version is unsecured and you happen to have links to that version that were made as https links, you will get browser errors (remember this is not in your hands, anyone one the web can link to you however they think the "correct" address is.)
    So the best way is to have all domains secured and have redirects to the primary domain. This is also the correct way from an SEO point of view.

    • mbitcon
      • Problem solver

      Hi Antoine

      Actually there is no such thing as DNS Domain mapping. A DNS CNAME merely tells the asking web browser to resolve the CNAME to the same IP address as the the given A Record. So if your domain is domain.com and has an A-Record of IP 1.2.3.4 and you create a CNAME of either http://www.domain.com domain2.com pointing to domain.com , all that happens is that any asking device would now know that it also resolves to the same IP address of 1.2.3.4. Up to this point you are completely right that this process is absolutely independent of protocol - this works for both http or https or ftp or ssh or smtp or imap or whatever protocol you want to use.
      forthgears problem begins when people use https to access any of his domains and he wants them to be redirected to a primary domain. He is using one certificate with 100 alternative names on it and that is the max let's encrypt allows on one certificate. The solution is to use more certificates and everything is well ... :slight_smile:

      Mike

      P.S.: And of course in the case of subdomains, you are completely right that the best thing to use would be a wildcard certificate... but he also uses different domains, not only subdomains so wildcard certificates only make the time until he needs a second certificate a bit longer...

  • Adam Czajczyk
    • Support Gorilla

    Hi guys!

    Antoine

    Wildcard - well, yes and no. As far as I understand, that's a sub-directory multisite so to protect entire setup (main site and it's all sub-sites) all you actually need is a regular single domain certificate.

    Wildcard would be needed if it was a sub-domain multisite as it covers the main domain and all its sub-domains.

    But that still doesn't solve the problem with mapped domains because wild-card is not about multiple domains but one domain and its sub-domains. Wildcard would cover "domain.com", "www.domain.com", "subsite.domain.com" and so on but not "otherdomain.com" and "mappeddomain.org".

    For these either a multi-domain certificate is needed or multiple certificates :slight_smile:

    mbitcon

    if you take a close look at his certificate, you see that he is using one certificate with a lot of alternative names,

    You're right, I didn't notice that at first, thank you! I also agree that in this scenario each and every domain and "domain version" should be protected with valid cert.

    forthgear

    I think mbitcon is also right with one more thing and that sounds like a closest to the working solution:

    The 100 names quota is a per certificate limit, not a total limit as you can issue quite a few certificates per week. If you have a look at the docs page at lets encrypt (https://letsencrypt.org/docs/rate-limits/) you see that you could issue certificates for up 5000 subdomains per week. So I guess there is still plenty of room for you

    What I would aim to do would basically be to keep current setup as it is (maybe do small "shifts" to make sure that all the currently protected domain are with and without "www" there - so maybe one or two should be taken "out" of the current cert; just make some "cleaning" if necessary to "max out" current cert capacity) and then simply install next certificate for the next set of domains.

    The question though would be whether you can actually do it. Obtaining next certificate/more certificate shouldn't be an issue. You can get more cert from Let's Encrypt or you can buy certs from other providers so the last thing would be to install them. This is mostly a question to your hosting provider then if they allow this. SNI (Server Name Indication) would be a solution here, I think. I also believe it's already supported by your host - most hosts do support it now. In short in most cases you simply add a certificate via some panel and that's pretty much it. Thanks to SNI server will know which cert to use for which domain - even if they are all at the same IP and port and so on.

    I suppose then you might just need to talk to your host (or if it's some VPS/dedicated server or that kind of system) to whoever performs sys-admin tasks there and ask them about that. If you can install multiple certs for the same site (and with SNI that would be possible) there wouldn't really be much else to do than only getting another cert :slight_smile:

    Best regards,
    Adam

      • Adam Czajczyk
        • Support Gorilla

        mbitcon

        He wrote he is using "subdomain directories" multisite

        Yeah, actually did, you're right again! I guess I might need better glasses or slow down a bit. Sorry about that!

        But despite that - yes, you're also right, the whole thing now seems to be about just "how to install additional cert" but that's something we can kind of "speculate about" but it basically depends on the server configuration :slight_smile:

        Best regards,
        Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.