How to enable TLS on domain only, but not on subdomains


#1

I am running certbot on Debian 8 with nginx installed.

I enabled TLS for mydomain.com.

And it worked well.

But as soon as I did that, the browser somehow remembered it, and now it will only access my domain with https even when I try to access some subdomain like sub.mydomain.com.

Which is not TLS enabled and thus throw a ERR_CERT_COMMON_NAME_INVALID error.

Can I keep http only on my sub domains while still having https enabled on my main domain ?

EDIT

I think I may have found the reason, which could be this settings I have :
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
Could you comfirm that would be the reason ? Also can I safely remove it and will my changes apply due to max-age statement ?


#2

It’s not possible due to the way SSL works.

If you want to avoid error screens, then:

  1. Issue a certificate for sub.mydomain.com as well as mydomain.com.
  2. Configure the nginx server block for sub.mydomain.com to redirect HTTPS requests to HTTP.

So essentially, to have no SSL successfully, you need SSL.

It’s also possible that you accidentally included HSTS headers with includeSubdomains, which is why your browser is trying to use HTTPS. In that case, remove includeSubdomains and clear your browser’s HSTS cache.


#3

Thanks for your anwser. Please look at my edit and tell me what you think.


#4

Yes. Remove includeSubdomains.

You’ll also need to flush your browser’s HSTS cache. if any of your visitors already saw the HSTS header, then there’s nothing you can really do other than take my advice regarding having a certificate for the subdomain as well.


#5

That was it. Thanks for your fast and high quality answer :slight_smile:


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.