SSL certificates for domain without www

apache-2.2 redirect ssl domain-name-system ssl-certificate
8,406

Host name verification is a client-side mechanism (as described in the HTTPS specification, RFC 2818, Section 3.1). The client will check that the certificate is valid for the host name it has requested before any HTTP traffic happens (in particular, before any redirection). Apache redirections or DNS changes won't be of any use.

You simply need the web server to present a certificate that is valid for the requested host name.

Some certificates can be valid for multiple host names, by having multiple Subject Alternative Name (SAN) DNS entries, e.g. domain.com and www.domain.com. Some CAs do this by default, some do it for an extra fee.

(Wildcard certificates can also be used to handle multiple host names provided they follow the right pattern such as *.domain.com. Unfortunately, domain.com isn't matched by *.domain.com because the dot is part of the pattern. Some wildcard certs will have both a SAN for domain.com and *.domain.com, in which case it's the SAN mechanism that will be used for domain.com, nothing to do with the wildcard.)

You could also use Server Name Indication (SNI) and have an additional, different certificate on that host for domain.com (next to the one for www.domain.com). Unfortunately, it's not supported by certain clients (possibly old, but they still exist), and it would certainly be pointless, since most CAs issuing a cert for domain.com would certainly include www.domain.com automatically in another SAN anyway.

Either way, if you want to be able to serve https://domain.com at all (even if it's just for a redirection), you'll have to get a new certificate valid for it (at least).

Share:
8,406

Related videos on Youtube

goocreations
Author by

goocreations

Updated on September 18, 2022

Comments

  • goocreations
    goocreations over 1 year

    I currently have a SSL certificate which is registered for https://www.domain.com. I didn't register https://domain.com and I don't have money to do that.

    Since the SSL exchange is done before the actual site is loaded, I can't simple put a redirect in .htacess without the client getting a SSL-warning. Is there anyway I can make sure that all https://domain.com are redirected to https://www.domain.com before the SSL exchange? Maybe something directly on the Apache server or something in the DNS?

    • Roger
      Roger over 11 years
      DNS is only resolving ip addresses and domains. That won't help you.
    • MDMarra
      MDMarra over 11 years
      I didn't register https://domain.com and I don't have money to do that. - Um, why would that cost you extra? You own domain.com, just make an A record for it and get a certificate that has both names.
  • Mark
    Mark over 11 years
    I'd add that many of the Cert vendors offer one or more Subject Alternative Names for free on their middle tier and higher products. And most allow at least one re-issue where you can add a second name. Check your current cert vendor to see if you can double-up for free.
  • Motivated
    Motivated about 8 years
    @Bruno - It would be good if the answer were updated to note the technical features that support the use of hostnames such as www and domains without hostnames - helpdesk.ssls.com/hc/en-us/articles/…
  • Bruno
    Bruno about 8 years
    @Motivated Not sure what you mean. I've clearly mentioned this "Some certificates can be valid for multiple host names, by having multiple Subject Alternative Name (SAN) DNS entries, e.g. domain.com and www.domain.com. Some CAs do this by default, some do it for an extra fee."
  • Motivated
    Motivated about 8 years
    @Bruno - The article at SSLS.com suggests that there is a technical feature that supports this. Is this different to Subject Alternative Names?
  • Bruno
    Bruno about 8 years
    @Motivated No, it's not different, they do call it SAN in their article too.
  • Bruno
    Bruno about 8 years
    @Motivated This is just a commercial restriction.
  • Motivated
    Motivated about 8 years
    @Bruno - Thanks. So there are no technical restrictions? Why restrict it commercially?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

sslv3 alert bad certificate when attempting to connect with Mail Client
Restart of nginx service fails because of /etc/nginx/nginx.conf test failure
Apache2 SSL Certificate error
Apache multiple virtual hosts with ssl certificates
How to install godaddy's ssl on apache
mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
How to redirect http to https for IP and domain on Apache2
Possible locations of ssl.conf and httpd.conf
Apache2 fails to start with some specific SSLCipherSuite config
ssl_error_bad_mac_alert error in Firefox