Okay, I think I might know what is going on here.
I just went back to SSL Labs and checked again.
This time, I did even better than last time, and they gave me an A+.
Furthermore, below my grade and the green graphs, it even says this:
“HTTP Strict Transport Security (HSTS) with long duration deployed on this server.”
That leaves me a little confused, because it sounds as if my domain, www.billkochman.com, is already on somebody’s HSTS list, even though I never applied for it.
Is it possible that it just happened because I added that code to my httpd.conf template file in MAMP PRO?
But here is what I am thinking regarding the hstspreload.org site.
When I went there, I submitted the domain www.billkochman.com. That resulted in their tester sending me this error message:
Status: www.billkochman.com is not preloaded.
Eligibility: In order for www.billkochman.com to be elegible for preloading, the errors below must be resolved:
www.billkochman.com is a subdomain. Please preload
billkochman.com instead. (Due to the size of the preload list and the behaviour of cookies across subdomains, we only accept automated preload list submissions of whole registered domains.)
However, when I submit billkochman.com instead, that is when it sends me the aforementioned “Invalid Certificate Chain” error and says that my domain uses an incomplete or invalid certificate chain.
This is leading me to believe that the problem may possibly lie in the fact that you only issued me a certificate for www.billkochman.com, and not for billkochman.com as well. Of course, I am just guessing here.
But if I am correct, does this mean that I need to run Certbot in the OS X Terminal again, and make a second request for just billkochman.com, without the www? Again, I am just working on a hunch here.
If any of the above is correct, MAMP PRO’s GUI offers the option to point to only one key file, one chain file, and one fullchain file.
If I do have to make a second request via Certbot for a certificate for billkochman.com, will both www.billkochman.com and billkochman.com be included in the new keys and certificates?
Oh, one other thing . . .
If HSTS is already enabled on my server, why does the SSL Labs report also say the following?:
“HSTS Preloading Not in: Chrome Edge Firefox IE”
Sorry, but I am in my 60s, and a total newbie at all of this AMP and SSL stuff.
Thanks again for your assistance.
***** BIG UPDATE *****
Ha! Please disregard all of the above.
Not only do I now have certificates and a key for both www.billkochman.com and billkochman.com, but I also figured out the rest, so that my submission was accepted at https://hstspreload.org/.
I only encountered one problem there, because my httpd.conf redirect points to www.billkochman.com, and they didn’t like that, so I had to add another RedirectMatch so that it points to https://billkochman.com first, and then a second RedirectMatch to go from https://billkochman.com to https://www.billkochman.com.
Once I did that, I was good to go for the HSTS preload list.
However, the redirects are not working quite the way I want.
I already made the https version of www.billkochman.com my preferred destination at Google’s Search Console, but all redirects are now going to the billkochman.com https version instead.
Here is the code I am currently using:
For HSTS preload list, we must redirect to https://billkochman.com first,
RedirectMatch 301 (.*) https://billkochman.com$1
RedirectMatch 301 (.*) https://www.billkochman.com$1
Can I somehow tweak that code so that I and my visitors end up at www.billkochman every time, instead of without the www?
As I said, I am very, very new to all of this stuff. I have made tremendous progress over the past two weeks, but I am still very far from being a pro at it. Basically, I am just puppeting what I see other folks do, or what I find in online docs.
Thanks again for your time. I really appreciate it.