How to avoid SSL warnings about certificate not for the current site when redirecting alternate domains?
Cloudflare is a free solution for redirecting your alternate domains with HTTPS support. Here are detailed instructions for setting it up:
- Visit Cloudflare
- Create an account and verify your email address
- Use the "add a site" feature to add your alternate domain under their free plan. If you are creating an account, it should ask you to do this as a step of the account creation process.
- Set up your DNS at Cloudflare
- Cloudflare will import your DNS from your current web host
- Keep all TXT, SOA, and MX records as well as any subdomains that you don't want cloudflare to redirect.
- Ensure that records you do want cloudflare to redirect are "Proxied". Click on the icon in the "Proxy status" column to change whether or not they are proxied. Proxied records will be handled by Cloudflare's web servers.
- Since we will later add a redirect rule, the IP address you enter for proxied A records doesn't actually matter, no traffic will ever go to it.
- Make sure you have a proxed
A
record for the domain apex (@
) - I also have a wildcard subdomain proxied
A
record (*
) so that all subdomains (includingwww
) get redirected.
- Go to your DNS registrar and update your nameserver (NS) records to be the values that Cloudflare gives you.
- Cloudflare will try to verify these for you. Don't worry if that doesn't work right away, the verification could take a few hours and Cloudflare will retry it for you.
- Go to "Page Rules" and add the following rule to do the redirect.
-
URL matches:
*example.com/*
Where you use your alternate domain in place ofexample.com
. The first*
is a wildcard that matches any subdomain. The second*
is a wildcard that matches any path. This single rule should match every request to the domain and its wildcard subdomains. -
Pick a setting:
Forwarding URL
-
Select status code:
301 - Permanent Redirect
-
Enter destination URL:
https://example.org/$2
where you use your main domain in place ofexample.org
. The$2
is the URL path captured from the second glob of the URL match. Without$2
, all the requests for deep pages would redirect to the home page. This rule strips the subdomains. If desired you could usehttps://$1example.org/$2
to preserve the captured subdomain as well. - Save the page rule.
-
URL matches:
It could take hours for everything to start working.
- Your new NS records need to propagate through DNS. This should take a couple hours, but worst case could take a few days.
- Cloudflare need to update their servers with your rules. This should take a few minutes.
- Cloudflare needs to create a SSL certificate for your HTTPS requests. This should take a couple hours.
If you are impatient to test things, you can start testing on the command line.
- See if your NS records have updated:
dig NS example.com
where you use your alternate domain in place ofexample.com
. Look for the cloudflare NS records. - See what server Cloudflare is using for your site:
dig @xx.ns.cloudflare.com example.com
where you use one of the actual NS records that Cloudflare gave you instead ofxx
and again your alternate domain. Look for anA
record with an IP address that you can use see if the redirects are working on Cloudflare's servers. - See if Cloudflare is serving redirects:
curl --resolve example.com:80:X.X.X.X --head http://example.com/
whereX.X.X.X
is one of the IP addresses from the previous step and you use your alternate domain in place ofexample.com
. Look for aLocation:
header with the redirect destination. You can repeat this step with other URLs such ashttp://www.example.com/
,http://foo.example.com/
,http://example.com/path
andhttps://example.com/
. Keep in mind it may take a couple hours for the HTTPS redirects to start working.
Cloudflare lets you add many additional alternate domains to your Cloudflare account and set them up the same way. Each of your alternate domains can use its own free plan.
Stephen Ostermiller
Updated on September 18, 2022Comments
-
Stephen Ostermiller over 1 year
I have multiple domains forward issue. Domains with plurals and singular e.g.:
- example.com,
- examples.com,
- example.biz,
- examples.biz
I forwarded all of them to
https://examples.com
andhttps://www.examples.com
but ran into web browser warnings about someone could intercept communications as the SSL cert issued is not for the current website I visited. I have SSL cert forhttps://examples.com
andhttps://www.examples.com
What is the best solution for this?
-
Admin about 6 yearsGet a multi-domain SSL certificate for the IP address performing the redirects. Each domain variation should be included in the SAN.
-
Stephen Ostermiller about 6 yearsWhen you say "check your SSL certificates" what should they check for? It sounds to me like they need 3 additional domains added to their certificate with 3 additional
www
variants. How should they do that? -
Theodor_D. about 6 years@StephenOstermiller well, you are right, i was meaning URL redirect but still if you/he do/does a Google search with the term "DNS redirect" you get results about URL redirect. So, when developers say "Do a DNS redirect they mean do a URL redirect by adding the IP in which you want to get redirected to". Syntactically your comment is right. But still the meaning is exactly the same. As for the SSL's. They have to check for which domain name they have purchased the SSL for and use it for that domain. Or simply add 3 additional "www" as you say, if their SSL service provider offer this..
-
Theodor_D. about 6 yearsand what for exactly you gave me a minus for my reply?? isn't this a reply which explains to a new user what he has to do to solve his problem??
-
Stephen Ostermiller about 6 yearsI left two comments explaining my down vote. I think their problem is mostly that their security certificate doesn't cover the alternate domain names. You should edit your question to remove the domain redirect and add more about expanding certificates