Mobile app version of vmapp.org
Login or Join
Hamaas447

: SSL/https breaking when using www Please don't close for being a duplicate, I have already tried the other answered questions and am still having issues. First, I know why the certification for

@Hamaas447

Posted in: #Htaccess #Https #NoWww

Please don't close for being a duplicate, I have already tried the other answered questions and am still having issues.

First, I know why the certification for the site breaks when using The cert is for just example.com not example.com, and adding www is technically a subdomain and therefore breaks the cert, causing browsers to do the whole 'bad/untrusted cert' thing.

My situation is that I have certs for just example.com, and sometimes Google indexes pages using example.com. This is obviously an issue because when people search for things on my site, it is rather annoying and bad press to encounter the 'bad cert' thing.

Is there any possible way to force https access and remove the www? I have tried using htaccess to do so, but am still running into the bad cert issue.

It should be noted that my current htaccess does what it needs to (force https/no www) when initially connecting via http. It only fails to do so when the initial connection is made with https and using www (presumably the browser is refusing the connection before htaccess has a chance to act).

Current htaccess:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www.)(.+) [OR]
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^(www.)?(.+)
RewriteRule ^ %2%{REQUEST_URI} [R=301,L]


Alternatively, if there was a way to keep Google from indexing the pages with www, that would also be an acceptable workaround for me.

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Hamaas447

3 Comments

Sorted by latest first Latest Oldest Best

 

@Goswami781

While it is a good idea to get the certificate for your www subdomain as well, you could try setting up a redirect at your nameserver level too. Almost all of the DNS solution providers have the feature to enable a name mask or a domain forwarding.

I am not sure whether it is also applicable at the http level, or if it works for requests at the HTTPS protocol, but it is worth a shot.

10% popularity Vote Up Vote Down


 

@Ann8826881

Browsers don’t further access the server when the certificate is not trusted/valid, so the .htaccess redirect can’t work (it should work as soon as the user adds the certificate as an exception).

The best solution is to get a certificate for the hostname with www, too. This does not only help for redirecting users to the correct hostname when following links from search results or bookmarks, it also helps those users that type your hostname with www (which is commonly done, even if it’s advertised without www), which might still happen long after search engines have removed the hostname with www from their indexes.

If that’s not possible, you can at least signal search engines that they should prefer the hostname without A 301 redirect is the best way here. If that’s not possible, the second best is the canonical link type. Of course both can only work for search engines that ignore the bad certificate (I guess most do).

You could also try to use the search engine’s webmaster tools to set the preferred hostname. For Google, see Set your preferred domain (www or non-www) (but I don’t know if this works for hosts without a trusted certificate).

In any case, you have to wait. After some time, the hostname with www should disappear from search results.

10% popularity Vote Up Vote Down


 

@Alves908

The "bad cert thing" is triggered by the browser during the SSL handshake. This is the very first thing that happens and occurs long before .htaccess or any of your server-side logic has a chance to do anything. As you suggest, "the browser is refusing the connection before htaccess has a chance to act".

So, if your SSL cert is only valid for the apex domain and Google has somehow indexed www.example.com/ or people follow links to www.example.com/ then the only thing you can do to resolve this immediate issue is to "fix" your cert.


a way to keep Google from indexing the pages with www


Bit of a puzzle why it should "keep" doing this, unless the HTTPS/www version is being linked to in various places? (Did you once use the www.example.com version, before using the SSL cert?)

With the properties verified in Google Search Console (GSC) you can at least set a preference between www and non-www.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme