cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution
Super User I Super User I
Super User I

UCC certs aren't what they use to be?

Full disclosure, I could be dead wrong about all of this? I've been wrong before and since I'm being honest I'll be wrong again but hear me out.

 

I often recommended UCC/SAN SSL certs for my clients as I feel it is an economical way of protecting multiple domain names. Often projects I design will have multiple domain names associated so having the option to add them as a Subject Alternate Name (SAN) was helpful.

 

I have one client that runs a coffee shop on the domains anytowncoffee.com and peytonscoffee.com I don't do any forwarding but instead have both domains pointed to the root of the hosting. If someone comes in on anytowncoffee.com or peytonscoffee.com the rest of their visit is generally tied to that so they will see anytowncoffee.com/contact-us or peytonscoffee.com/contact-us and so on. I also would add subdomains like shop.peytonscoffee.com or I would forward shop.peytonscoffee.com to shop.anytowncoffee.com

 

I assign one domain the website was built on to the security certificate (anytowncoffee.com in this case) then other domain(s) as SANs under that domain (peytonscoffee.com in this case). Naturally I did not have to worry about subdomains for the main secured domain but special attention had to be paid when utilizing subdomains on SAN attached domains. I would force https:// for any domain connected to a security certificate. The astute user would see that the security certificate for all of these domains were registered to the company name Peyton's Coffee INC. but that was just fine.

 

With that setup when someone went to anytowncoffee.com they would be pushed to https://anytowncoffee.com and if they went to www.anytowncoffee.com be pushed to https://www.anytowncoffee.com as it was the main domain setup on the cert.

 

For SAN domains when someone went to peytonscoffee.com they would be pushed to https://peytonscoffee.com and if they went to www.peytonscoffee.com they were pushed to https://peytonscoffee.com as www was set as a CNAME pointed to @ in the DNS I never bothered to name www.peytonscoffee.com as its own SAN. As mentioned previously shop.peytonscoffee.com would go to https://shop.anytowncoffee.com via a forward or if a the shop subdomain was assigned as a SAN go directly to https://shop.peytonscoffee.com

 

That setup worked for years and was the base way I handled multiple domains especially those pointing to the same website or for the same customer. Recently security changes have made my setup obsolete. Specifically now any subdomain not assigned to a security certificate reads as unsecure. This means my www.peytonscoffee.com rather than going to https://peytonscoffee.com now throws a nasty error because the www subdomain is not assigned specifically to a security certificate. Additionally subdomains like http://shop.peytonscoffee.com no longer forward to https://anytowncoffee.com without a security error. As I understand it the new security policy means that even if a domain or subdomain that is forwarded it must be assigned to a SSL certificate?

 

Typically I don't type www when I'm entering domain names because that is just extra typing and I'm lazy but there are certainly people who do enter www before domains. For my setup this now means that at minimum I need to add both peytonscoffee.com and www.peytonscoffee.com as SANs plus shop.peytonscoffee.com which then would not need a forward since it now was attached to a cert. This means that one UCC would protect one and a half domains? Additionally even domains I only forward all need SSL certs? I tend to use a lot of domains with no website just for SEO that forward to secured domains with websites on them. I saw no security issue as long as the user ended up on a secure domain. Now someone that purchases anytowncoffee.net, anytowncoffee.info, anytowncoffee.us... would need security certificates for each domain just so they would forward without a security alert to https://anytowncoffee.com

 

Reading through posts in this section I see that others should be running into similar issues? I figured with the setup I run/ran the security changes would not impact me but I'm going to need a lot more security certificates? Maybe I'm looking at this all wrong?

 

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head

10 REPLIES 10
Moderator
Moderator

Re: UCC certs aren't what they use to be?

Hi @rd, thanks for the question.

As far back as I can remember, UCC SSLs have always worked in the way you described. SAN domains never included the 'WWW' version of the domain to the best of my memory, www. alternatedomain. com had to be included as a second SAN.

 

If www. alternatedomain. com is not included in the UCC SSL, then trying to access https:// www. alternatedomain. com won't resolve. The browser would check for an SSL when connecting to https:// www. alternatedomain. com, and then return an error since it isn't covered under the UCC.

 

However, accessing it via http:// www. alternatedomain. com (not https), and then being redirected to https:// alternatedomain. com would still work. Under most circumstances, this isn't an issue because site visitors will rarely and intentionally type in the full URL for https:// www. alternatedomain. com.

 

I hope I cleared this up.

Gary - GoDaddy | Community Moderator
24/7 Support | Check System Status
Super User I Super User I
Super User I

Re: UCC certs aren't what they use to be?

I'm not saying that UCC SSLs have changed @GaryA. What has changed is the security around subdomains? I never found the need to define the www of a domain as a SAN because I just defined it as a CNAME pointed to @ in the DNS. It is basically just the setup I use that has to change? 

 

In my experience any www not individually defined in the SAN will not forward without a security error. You can go and add a exception bit that is an ugly warning. Like I said maybe it's just me?

 

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head

Moderator
Moderator

Re: UCC certs aren't what they use to be?

Hey @rd.

It should only give an error if you try to specifically access the WWW subdomain using HTTPS. There should be no trouble accessing the site using WWW without HTTPS, and then being redirected to the secure domain name. Based on how you described your setup, this is what I imagine working:

 

httpS://alternatedomain. com -> works

http://www. alternatedomain .com -> redirects to httpS://alternatedomain. com -> works

httpS://www. alternatedomain .com -> doesn't work/ can't redirect

 

This setup usually works fine, since a common visitor to a site won't manually type out HTTPS when typing in the URL. If you were seeing something else, could you provide some more clarification on your setup for me? 

 

Gary - GoDaddy | Community Moderator
24/7 Support | Check System Status
Super User I Super User I
Super User I

Re: UCC certs aren't what they use to be?

Fair warning, this may be a bit of overkill.

 

I created a new environment to mimic how I use UCC SSLs

2348-ssl-example.PNG

 

As I mentioned I often point multiple domains to one website directory. This is a WordPress MultiSite install with https://anytowncoffee.com as the WordPress install domain. peytonscoffee.com and peytonspastry.com both just point to the directory where WordPress is installed as addon domains. I of course purposely left off the www.peytonspastry.com in the SAN for this example.

 

The behavior I get from this setup is:

anytowncoffee.com > https://anytowncoffee.com/ 🔒 Secure

www.anytowncoffee.com > https://www.anytowncoffee.com/ > 🔒 Secure

www.peytonscoffee.com > https://anytowncoffee.com/ 🔒 Secure

peytonscoffee.com > https://anytowncoffee.com/ 🔒 Secure

peytonspastry.com > https://anytowncoffee.com/ 🔒 Secure

www.peytonspastry.com > Ugly Error

 

For Better or worse I learn best practically so I will often embark on exercises like creating a complete environment from scratch to see if I can improve or troubleshoot issues. I naturally find it useful as evidenced by the fact that I do it. I believe I found what my issue was/is? I think it may be down to some parameters set in the wp-config.php or the .htaccess file to force https://?

 

I know there will probably be tons of warnings as I just bought the domains a threw up a website in 24 hours.

 

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head

Moderator
Moderator

Re: UCC certs aren't what they use to be?

Hi @rd, thanks for following up with more detailed information and this example.

Taking a look at the sites and the SSL, I can confirm that the UCC is setup to secure these Domains:

SANs: anytowncoffee.com, www.anytowncoffee.com, www.peytonscoffee.com, peytonscoffee.com, peytonspastry.com

www.peytonspastry.com is not included in the SANs and not secured, as you stated.

 

I suspect the issue that's being encountered is that when visiting www.peytonspastry.com, it's redirecting to https:// www. peytonspastry.com before redirecting to https:// anytowncoffee.com/.  Ideally it wouldn't wouldn't redirect to HTTPS at all prior to redirecting to https:// anytowncoffee.com/, but there's always different use cases for these scenarios.

 

With this particular configuration, I'd lean towards an issue with a redirect in the .htaccess file. Without knowing details, I suspect the .htaccess file is redirecting traffic to HTTPS, and then the WordPress settings redirects traffic to anytowncoffee.com. It should be possible to redirect traffic to HTTPS only for the anytowncoffee.com domain in the .htaccess configuration.

Gary - GoDaddy | Community Moderator
24/7 Support | Check System Status
Super User I Super User I
Super User I

Re: UCC certs aren't what they use to be?

I spent the bulk of the weekend looking at the .htaccess file @GaryA. Keep in mind that Im new to the WordPress world so don't laugh too hard but here is what my .htaccess file:

# BEGIN WordPress Multisite

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# END WordPress Multisite

I cleaned my .htaccess up a bit but that didn't seem to do much to change my issue? Let me know if something looks off there? What seemed to work for me is changing the www CNAME from @ to peytonscoffee.com So now www.peytonspastry.com goes to peytonscoffee.com and WordPress says "Oh, you want https://anytowncoffee.com" (as that is the only current website on my MultiSite). If I define a network site(s) then I should be able to push these additional domains to their own website using WordPress as the traffic cop.

 

Defining the CNAME this way means that I do not have to define both the www.peytonspastry.com and peytonspastry.com as individual SAN lines.

 

Does this seem like the correct approach to you?

 

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head

Moderator
Moderator

Re: UCC certs aren't what they use to be?

Thanks for following up @rd.

I'm not an expert with .htaccess files, but I suspect it's this line:

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Since that's the line controlling the redirect to HTTPS. You might be able to update this to only redirect to HTTPS for your primary domain, or remove it and manage the HTTPS redirect through WordPress. I believe there are a few different plugins that can manage HTTPS redirects in WordPress.

 

I'm not sure the CNAME edit you mentioned is a factor in this. It might be a combination of factors, including the .htaccess changes you made.

Checking www.peytonspastry.com, I do see that it's an HTTP redirect to https:// anytowncoffee.com, so it's happening after the DNS.

 

Gary - GoDaddy | Community Moderator
24/7 Support | Check System Status
Super User I Super User I
Super User I

Re: UCC certs aren't what they use to be?

Okay, thanks @GaryA I removed that line from the .htaccess file and pointed the www CNAME back to @. I'll give it 24 hours and have a look at it again. The good thing about a test environment is I can be patient. Thanks again.

 

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head

Super User I Super User I
Super User I
Solution

Re: UCC certs aren't what they use to be?

Thank you to all those who reached out to help me out of my confusion. Thank you to @GaryA in this thread, the GoDaddy support I spoke to trying to get this all clear, people IRL (I've been trying to get this straight for awhile) and those who reached out to me in email or private message. The good news is I see where I went wrong and I have it together now?2348-ssl-ucc.png

 As to not embarrass myself too much I will say that I was ahead of the curve. My forward thinking and action actually caused my issue and contributed to my confusion. I often would force https:// in my website projects regardless of platform. Recent security changes meant that browsers are now performing that check that I was forcing.

 

 

The rewrite rule I had in my .htaccess file created an unsecure URL when a defined subdomain was typed that and was not defined as a SAN.

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Basically I was creating the need to add domains to my SAN list without the direct need to do so. Since I have the www CNAME pointed to it already goes to the secure domain defined by the SSL certificate. I will continue to define subdomains and URLs where I plan to create content but I now understand that I do not need to define a rewrite AND I do not need to add a separate line in my SAN for the www subdomain. I hope my absolute confusion can help someone else?

 

Thanks again!

 

...turns out that my two cents is worth less or more depending on the current exchange rate.

roy darling *my posts seem a lot shorter in my head

Moderator
Moderator

Re: UCC certs aren't what they use to be?

Thanks for the follow up @rd.

Glad to hear we got everything sorted out with it and thanks for posting a detailed follow up explaining how you have it working in your final setup.

 

Gary - GoDaddy | Community Moderator
24/7 Support | Check System Status