Redirecting HTTPS naked domain to www, without a matching certificate on naked domain virtualhost

redirect nginx ssl-certificate

Our department's website uses the www subdomain, both internally and externally. When I joined, I noticed that a lot of users tried without the www, got an error, became confused or annoyed, until they tried with www or someone told them to. So, I added an internal DNS entry for the parent domain pointing to our web server (which didn't exist previously), and configured our web server to listen for both.

We were using self-signed certificates then. Recently, we got externally signed ones, but, in an oversight, only for *.parent.domain, not parent.domain. Thus, while the experience on www is generally smooth, when an unsuspecting user tries just https://parent.domain, they get an error. In terms of curl:

curl: (51) SSL: no alternative certificate subject name matches target host name 'parent.domain'

I added a redirect for HTTP requests, but the browser blocks further action for HTTPS, so the client never sees the redirect, but only a big, scary warning.

The certificates were obtained for three years, and I don't think I can justify a fresh expenditure just for this edge case. Is there anything I can do on the server-side to mitigate this?


Solution 1:

Depending who your SSL provider is they typically give you the root domain plus the www. This only works if you requested example.com, if they filled out the csr for www.example.com, they got www.www.example.com additionally, (test if your SSL works with www.www.example.com and you will know for sure).

You can always rekey, if you have issues using a new csr, contact your SSL provider and see if they will issue you a credit for the remaining term, you will however, be required to revoke the certificate before a credit is issued, causing an outage so plan for it.

Also, my *.example.com SSL covers example.com in the SAN.

I hope this helps.

Solution 2:

Redirection will happen AFTER the connection is established - therefore, without fixing the certificate, it can't be done. Why are users starting with HTTPS? Can't they just connect to non-SSL parent domain where the redirection will occur?

Related

What consequences to take from what i read in logfiles?
Ubuntu + Nginx: directory index of "/var/www/app/my-app/" is forbidden
How to cut of Windows 2012 Server to save the disk space?
Samba / smbd on Centos 6.5
Apache, virtual hosts, and default sender for sendmail
How do I understand the syntax of “He puts to good use things other people have thrown away”?
Starting a sentence with a past verb?
Origins of the phrase "for the time being"
When people say "some" and a number, like "some 50,000 people", is there any implication that the number is big or surprising?
Term for the arch supporting a gemstone
What does "He who sups with the devil should have a long spoon" mean? [closed]
Apostrophe s question [closed]