Redirect https traffic from old domain to new domain internally

We are in the process of moving from a .org address to a new .gov address. I have a WAF that handles all of the external redirects without an issue.

We setup the redirect internally, and that is working as expected for the http traffic. The https traffic is obviously not working correctly.

Do I simply need a certificate to redirect all of our internal https traffic to the new domain?

Why not? For me it's not so obvious to be honest.


I must have asked this incorrectly. We moved from to There is no longer a valid certificate for the domain. Our internet traffic works correctly, as the WAF handles the redirect. Do we just need a 2nd certificate for to work correctly for the https traffic on our internal network?

I can see a perfectly fine certificate issued 19 June for and on those sites?

You're not providing us with much information I'm afraid to say. Please provide exact the exact steps which resulted in an error/warning/issue and please also provide what the exact error/warning/issue was/is. If necessary with screenshots.


When a user is connected to the VPN and they click on a link to they see the error message - Your connection isn't private. It will work fine if you are not connected to my VPN. If you type if your browser, it should automatically redirect you to

When they are connected to the VPN, if they type it will automatically redirect (per the rule I wrote in IIS) to

But if they type it causes the certificate error. Do I simply need a certificate for

You already have one covering and At least, from the public internet.

How VPN comes into play, I dunno, I cannot test that obviously.

It does not, your firewall is geoblocking me. Note that geoblocking is a common cause for failure to issue Let's Encrypt certificates when using the http-01 or tls-alpn-01 challenges.


@JamieB I don't see the same problem as you describe. But, as @Osiris noted, I can't test the VPN but I am not geo-blocked (my server is in US)

curl -I
HTTP/1.0 302 Redirect
Connection: Close

This works fine and uses the cert for this domain from Jun30
curl -I
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-length: 0
Connection: Close

curl -I
HTTP/1.1 200 OK
Set-Cookie: ASP.NET_SessionId=t0rfqgfxf3lmwvq1avxjaeud; path=/; HttpOnly; SameSite=Lax

Is there a link or how do I request a certificate via Let's Encrypt? It is working as expected outside of our office and I need to request a certificate so that I can do the redirect for the internal side of the https traffic. Thanks for the responses.

1 Like

Do you host your outside content from a server within your site?


The server is local on our network.

Then I'm confused on how it provides different results.

  • outside users see one thing [correct]
  • inside users see another thing [incorrect]

The firewall is probably terminating the TLS connection, as I can see the geoblock error through a perfectly fine and secure TLS connection :wink:


Maybe this message will help. This is on a server within our network. If not, where do I request a certificate at?

You have a perfectly good cert issued just a few days ago for that domain (link here)

It looks like your server, when accessed internally, doesn't use it.

Instead, your request to is getting handled by a cert using a wildcard cert. Note the * in the error message. The only wildcard cert I see for that name is from GoDaddy issued Jun13. Unless you got one just now from Let's Encrypt which hasn't shown in the logs yet.

Does your local DNS resolve to the correct server IP? What server is using the GoDaddy wildcard * cert? How do requests even end up there?


I agree. I am thinking I need one more certificate to handle the https traffic to The certificate it was using got moved to handle The guy that did that is out of the office, but I can get details on Wednesday, 7/5. But I am thinking if I can get a certificate from Let's Encrypt, then that would resolve the issue for me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.