Redirecting HTTPS naked domain to www, without a matching certificate on naked domain virtualhost

Our department's website uses the www subdomain, both internally and externally. When I joined, I noticed that a lot of users tried without the www, got an error, became confused or annoyed, until they tried with www or someone told them to. So, I added an internal DNS entry for the parent domain pointing to our web server (which didn't exist previously), and configured our web server to listen for both.

We were using self-signed certificates then. Recently, we got externally signed ones, but, in an oversight, only for *.parent.domain, not parent.domain. Thus, while the experience on www is generally smooth, when an unsuspecting user tries just https://parent.domain, they get an error. In terms of curl:

curl: (51) SSL: no alternative certificate subject name matches target host name 'parent.domain'

I added a redirect for HTTP requests, but the browser blocks further action for HTTPS, so the client never sees the redirect, but only a big, scary warning.

The certificates were obtained for three years, and I don't think I can justify a fresh expenditure just for this edge case. Is there anything I can do on the server-side to mitigate this?


Solution 1:

Depending who your SSL provider is they typically give you the root domain plus the www. This only works if you requested example.com, if they filled out the csr for www.example.com, they got www.www.example.com additionally, (test if your SSL works with www.www.example.com and you will know for sure).

You can always rekey, if you have issues using a new csr, contact your SSL provider and see if they will issue you a credit for the remaining term, you will however, be required to revoke the certificate before a credit is issued, causing an outage so plan for it.

Also, my *.example.com SSL covers example.com in the SAN.

I hope this helps.

Solution 2:

Redirection will happen AFTER the connection is established - therefore, without fixing the certificate, it can't be done. Why are users starting with HTTPS? Can't they just connect to non-SSL parent domain where the redirection will occur?