Wildcard SSL not working with www on subdomain


#1

Hello All,

I have a website using a multisite and sub domains with wildcard. I successfully installed and configured SSl to work on main domain and sub domains.

My issue is that when people go to www.mywebsite.com, all gets redirected to https://,mywebsite.com. However, if someone goes to www.site1.mydomain.com, this brings up the security warning for certificate. It works no problem if someone types in https://site1.mywebsite.com and http://site1.mywebsite.com ( goes to https version ).

I guess I am just concerned if someone using the www on any sub domain, they will get the warning…

is there any thing I can do to redirect www for wildcards or enable SSL to work on WWW also?


#2

Wildcards only work for just one level. If you want certificates for a level “lower”, you’ll need to issue more certificates. It is not possible to get a certificate for www.*.example.com or for *.*.example.com unfortunately.


#3

Thanks for your reply.

Fair enough then. Is there any way to set up a re direct so people wont see that warning?


#4

would this work?

<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{HTTP_HOST} ^www\.([^.]+\.domain\.com)$ [NC]
    RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L,NE]
</IfModule>

#5

did not work the solution above. Still goes to a warning page. Most likely because of the Wildcard sub domains.


#6

Hi @360webfirm

that can’t work. If someone types

https://www.subdomain.example.com

then the browser want’s to create a secure connection, before your redirect rule is checked / executed.

The only thing you can (and should) do:

Don’t create dns entries

www.subdomain.example.com

If there is no subdomain, the browser says:

Non-existent domain.

But this isn’t a certificate error.


#7

The only sub domain entry is the wildcard. *.mywebsite.com

Here is the actual domain so you can see whats happening.

https://businessdirectory.cc

if someone types www.ottawa.businessdirectory.cc, this gives a certificate warning.


#8

Yes, because there is a dns - entry:

D:\temp>nslookup www.ottawa.businessdirectory.cc.
Name: www.ottawa.businessdirectory.cc
Address: 158.69.236.208

So you have two options:

  • create a certificate with a lot of domain names: businessdirectory.cc *.businessdirectory.cc www.ottawa.businessdirectory.cc etc. - every subdomain added with www.city.businessdirectory.cc. But that may be terrible.
  • or remove these www dns entries.

#9

This is a stupid question, but if I remove the DNS entry, can I do it once to cover all sub domains and how do I do this?


#10

If you removed all third-level entries (subdomain on a subdomain, e.g. www.ottawa.businessdirectory.cc) , you could use a single wildcard certificate to cover all the subdomains (*.businessdirectory.cc).

However, those customer who visited the third-level entries, would receive “not_resolved” error… (Which might make things worse since they can’t even visit the website), you also need to correct all links / redirects and stop them from redirecting users to the removed entries…

If you want to use a wildcard certificate, you’ll need to use DNS validation, which means you’ll need to create two TXT records that are required by let’s encrypt…(the two records generates when you request a wildcard certificate from Let’s Encrypt)

When you are using wildcard certificate from let’s encrypt, please also keep in mind that the certificate will still valid for 90 days only.

Thank you


#11

How do you manage your dns entries? Via provider, via cPanel or something else?

Perhaps share a screenshot.

There is already a wildcard certificate used - https://businessdirectory.cc/


#12

I am doing this on my Plesk server using Plesk Onyx
Version 17.8.11


#13

You have a wildcard subdomain

*.businessdirectory.cc

I don’t use Plesk. But it looks that this wildcard accepts

www.ottawa.businessdirectory.cc

and

ottawa.businessdirectory.cc

But using a wildcard certificate works only with ottawa.businessdirectory.cc, not with the www - version.

So Plesk subdomain wildcards are “bigger” then wildcard certificates.

This is bad. Yep -

letsencrypt-test.www.ottawa.businessdirectory.cc

is resolved. Is there a Plesk-option to restrict wildcard subdomains, so only one level is supported?

Perhaps if you try to edit the *.businessdirectory.cc - entry?


#14

what if this was on a c panel environment? Is there anything I could do that would prevent this issue?

I wanted to say also thank you so much for all your help!

What would you do? I can move over to a different server if need be because I dont want to jeopardize my website or visitors.

I am building this directory to help people promote and advertise their business for free.


#15

I don’t know if there is a cPanel - option. Perhaps ask there:

Checking montreal, quebec, new-york, berlin. Berlin is redirected, so it looks that you have a fixed list of US-cities.

Then you can create a fixed certificate with max. 100 domain names. A wildcard (2 names) and 98 cities (only www.cityname…).


#16

Ok check this out. I am running a test in my c panel.

https://testing.seawayhandyman.com/

https://seawayhandyman.com

https://www.testing.seawayhandyman.com/

https://www.seawayhandyman.com/

Any version you type, goes to https:// if you add www, it gets redirected.

Does this all look correct? or do you see any issues with this?


#17

I am not sure what you mean, Montreal and all rest still have issues when trying to access using www.


#18

isn’t redirected, first I have the certificate error

SSL_ERROR_BAD_CERT_DOMAIN

I’ve checked only the non-www version. montreal and the others have a 200 (no redirect), berlin was redirected to https://businessdirectory.cc/.

So it looks like you have a list of allowed cities.


#19

Yes I have a no blog redirect in place for cities that are not finished yet.

I dont know what to do as my eyes are sore from searching the web. It seems that www.*.domain.com is like two levels and is not covered by lets encrypt SSL. The main domain is covered by www.domain.com. but not my wildcard sub domains like www.ottawa.mydomain.com.

If I create a new certificate, can I include the www.* version? would it work?


#20

Yes, you can create one certificate with a lot of different domain names.