We're using setup with an nginx on one machine and (currently) one application server on apache in the back.
For multiple domains we got ssl certs, but only for the domain itself. So without subdomain www. Everything works as expected, we do not use the https://www.domain.tld anywhere. But we have customers who are typing this in by hand, resulting in a warning in the browser on the clientside.
..and a new seo guy insisting on working www subdomain WITH ssl.
What am i looking for:
A creative solution which does not require new certificates for 20+ domains.
I already thought about getting certificates from let's encrypt for our www subdomain, then 301 to domain.tld.. but it's still in beta.
Any ideas ?
Best Answer
You cannot solve this without getting new SSL certificates. Redirection won't help, since the SSL certificate is getting checked before the actual HTTP session starts. ETA So you need new certificates, either wildcard ones or ones with Subject Alternate Names (SAN), which are valid for a list of DNS names instead of just one. EOE
If it had been possible to do the redirect without SSL certificate errors, that would make it possible to set up fake redirects for e.g. misspelled banking sites to a scammer - so the fact that you can't do this is expected and proper behaviour from a security standpoint.