Home > Blockchain >  Firefox not forwarding to https://non-www.domain.com
Firefox not forwarding to https://non-www.domain.com

Time:09-17

I am working on a GoDaddy VPS (Apache, CentOS, cPanel). I have an SSL certificate valid for example.com but NOT www.example.com.

I want to use a .htaccess file to forward any requests to https://example.com/<pages>.

My code:

RewriteEngine On 
RewriteCond %{HTTPS} off 
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.*)$ [NC]
RewriteRule ^(.*) https://example.com/$1 [L,R=301]

The problem:
All tested browsers (Chrome, Edge, Opera) work fine for all combinations of http, https, www, and specific pages. However, Firefox does NOT forward https://www.example.com (with or w/out pages).

I get a security warning stating that www.example.com is not on the cert.

I have tried numerous other code snippets but none seem to work.

CodePudding user response:

Firefox may seem like the oddball, but actually it's the other browsers doing it "wrong" - to be forgiving with other peoples' server misconfiguration in favor of the user's convenience. (Also, it will look less odd once you realize that all three browsers you mentioned - Chrome, Edge, Opera - are forks of Chromium.)

If you look in the Chrome devtools, you'll see this:

Redirecting navigation www.example.com -> example.com because the server presented a certificate valid for example.com but not for www.example.com. To disable such redirects launch Chrome with the following flag: --disable-features=SSLCommonNameMismatchHandling

So, even though you didn't present a valid certificate for https://www.example.com, Chrome was nice enough to execute the redirect anyway, because you did present a certificate that was valid for the target domain of the redirect (example.com), even though technically the redirect response was returned over a connection that wasn't properly secured (with a certificate not matching the requested domain).

The solution would be to have a proper SSL certificate in the first place, including all the domains that you want your site to be reachable under, in that case probably just example.com and www.example.com. (Some certificate issuers will even include the www subdomain for free if you purchase a certificate for the naked domain.)

  • Related