Browser looking for https on subdomains not pointed at website

Simeon · December 1, 2016, 9:09pm

Not sure where to put this one…

So I have a website (**https://**tomoro.com.au) which is all on Roots stack with a Let’s Encrypt certificate.

I also use a subdomain (**http://**example.tomoro.com.au) which directs to a Campaign Monitor account via a CNAME record, but it doesn’t have an SSL certificate.

Once you visit the secure Roots website in Safari/Chrome, any address on the same domain looks for https instead. So now trying to load the subdomain gives a security error because it’s redirecting to https://. This is not a problem if you visit in a new browser.

I know this is a browser problem, not necessarily a Roots problem, but is annoying.

Any ideas on how I might fix this?

fullyint · December 1, 2016, 9:21pm

I haven’t looked into this, but I recall the thread below, which might help.

Simeon · December 1, 2016, 10:22pm

That seems to have done it

Set nginx_hsts_include_subdomains: false in group_vars/all/main.yml
Run ansible-playbook server.yml -e env=production --tags letsencrypt
Deploy

Site still loads at https:// and the off-site subdomain loads fine at http://

Note: You’ll still need to clear old HSTS records out of your browser, here’s a guide for Chrome and Safari: https://really-simple-ssl.com/knowledge-base/clear-hsts-browser/