Browser looking for https on subdomains not pointed at website

Not sure where to put this one…

So I have a website (**https://** which is all on Roots stack with a Let’s Encrypt certificate.

I also use a subdomain (**http://** which directs to a Campaign Monitor account via a CNAME record, but it doesn’t have an SSL certificate.

Once you visit the secure Roots website in Safari/Chrome, any address on the same domain looks for https instead. So now trying to load the subdomain gives a security error because it’s redirecting to https://. This is not a problem if you visit in a new browser.

I know this is a browser problem, not necessarily a Roots problem, but is annoying.

Any ideas on how I might fix this?

I haven’t looked into this, but I recall the thread below, which might help.

1 Like

That seems to have done it

  1. Set nginx_hsts_include_subdomains: false in group_vars/all/main.yml
  2. Run ansible-playbook server.yml -e env=production --tags letsencrypt
  3. Deploy

Site still loads at https:// and the off-site subdomain loads fine at http://

Note: You’ll still need to clear old HSTS records out of your browser, here’s a guide for Chrome and Safari: