# Browser looking for https on subdomains not pointed at website **URL:** https://discourse.roots.io/t/browser-looking-for-https-on-subdomains-not-pointed-at-website/8244 **Category:** general **Created:** 2016-12-01T21:09:33Z **Posts:** 3 ## Post 1 by @Simeon — 2016-12-01T21:09:33Z Not sure where to put this one… So I have a website (\*\*https://\*\*[tomoro.com.au](http://tomoro.com.au)) which is all on Roots stack with a Let’s Encrypt certificate. I also use a subdomain (\*\*http://\*\*[example.tomoro.com.au](http://example.tomoro.com.au)) which directs to a Campaign Monitor account via a CNAME record, but it doesn’t have an SSL certificate. Once you visit the secure Roots website in Safari/Chrome, any address on the same domain looks for https instead. So now trying to load the subdomain gives a security error because it’s redirecting to **https://**. This is not a problem if you visit in a new browser. I know this is a browser problem, not necessarily a Roots problem, but is annoying. Any ideas on how I might fix this? --- ## Post 2 by @fullyint — 2016-12-01T21:21:56Z I haven’t looked into this, but I recall the thread below, which might help. > [@LetsEncrypt Subdomain wildcard?](https://discourse.roots.io/t/letsencrypt-subdomain-wildcard/7379/4): > > Looks like that’s [HSTS](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet) in action. > > You’ll need to set `nginx_hsts_include_subdomains: false` in `group_vars/all/main.yml`. > > It’s generally better security to set it which is why its our default. Why not just enable SSL though? --- ## Post 3 by @Simeon — 2016-12-01T22:22:19Z That seems to have done it 1. Set `nginx_hsts_include_subdomains: false` in `group_vars/all/main.yml` 2. Run `ansible-playbook server.yml -e env=production --tags letsencrypt` 3. Deploy Site still loads at `https://` and the off-site subdomain loads fine at `http://` Note: You’ll still need to clear old HSTS records out of your browser, here’s a guide for Chrome and Safari: [https://really-simple-ssl.com/knowledge-base/clear-hsts-browser/](https://really-simple-ssl.com/knowledge-base/clear-hsts-browser/)