SSL not working when redirecting from non-www to www
Hello, im a web developer and have come accross a problem which only occurs in the firefox browser.
When i design a website, i use the www version of it always, and have redircts for all other instances, eg; mydomain.co.uk > https://www.mydomain.co.uk http://www.mydomain.co.uk > https://www.mydomain.co.uk https://mydomain.co.uk > https://www.mydomain.co.uk
So they all end up at the secure www version of the website. This is done in the .htaccess file and works great in Chrome, Edge, Explorer etc just not firefox.
In firefox i get the error
Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to boothandco.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
What can you do about it?
The issue is most likely with the web site, and there is nothing you can do to resolve it. You can notify the web site’s administrator about the problem.
Ignoring it then procceeds to the full https://www. but that warning screen will be enough to put potential visitors off no doubt.
Is there an "easy fix" for this or is the only way to solve the problem to use up more SAN's and double up on www and non-www versions of each website?
Any help is greatly appreciated.
Thanks Chris
All Replies (5)
Can you post some links as real examples of websites that have this problem ?
Start Firefox in Safe Mode to check if one of the extensions ("3-bar" menu button or Tools -> Add-ons -> Extensions) or if hardware acceleration or userChrome.css is causing the problem.
- switch to the DEFAULT theme: "3-bar" menu button or Tools -> Add-ons -> Themes
- do NOT click the "Refresh Firefox" button on the Safe Mode start window
- https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode
- https://support.mozilla.org/en-US/kb/troubleshoot-extensions-themes-to-fix-problems
You can remove all data stored in Firefox for a specific domain via "Forget About This Site" in the right-click context menu of an history entry ("History -> Show All History" or "View -> Sidebar -> History").
Using "Forget About This Site" will remove all data stored in Firefox for this domain like history and cookies and passwords and exceptions and cache, so be cautious. If you have a password or other data for that domain that you do not want to lose then make sure to backup this data or make a note.
You can't recover from this 'forget' unless you have a backup of involved files.
If you revisit a 'forgotten' website then data for that website will be saved once again.
Yes certainly;
boothandco.com lindwayspringsalpacas.co.uk peakautolocks.co.uk
I know its because its the non-www version of the site, but i dont understand why firefox isnt redirecting straight to the secure www.
The SAN list only includes the www. prefixed domain if I check the certificate. I do not see the server response headers in the Network Monitor, so I don't know why Firefox doesn't see the redirect.
The certificate is only valid for the following names: cecilwebdesigns.co.uk www.cecilwebdesigns.co.uk www.lindwayspringsalpacas.co.uk www.pothongthaitherapy.co.uk www.ddbl.co.uk www.whitepeakhousekeeping.co.uk www.boothandco.com www.tecniblock.co.uk www.peakautolocks.co.uk www.cinema-box.co.uk www.upperfieldfarm.co.uk
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Note that Qualys also reports an error.
- https://www.ssllabs.com/ssltest/analyze.html?d=boothandco.com
- https://www.ssllabs.com/ssltest/analyze.html?d=lindwayspringsalpacas.co.uk
Modified
Yes the issue is now why Firefox is not seeing the redirect when all other browsers can see it fine.
I will show the htaccess file below incase im missing something obvious.
RewriteEngine on RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # remove the index file. RewriteCond %{THE_REQUEST} ^.*/index RewriteRule ^(.*)index$ http://www.boothandco.com/$1 [R=301,L] # Remove PHP extention. RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^([^\.]+)$ $1.php [NC,L] # Custom error pages. ErrorDocument 404 https://www.boothandco.com/notfound
Modified