ozwiz
By:
ozwiz

Do i need to buy separate SSL certs for www and non-www ?

May 30, 2017 258 views
DigitalOcean Ubuntu 16.04

Let's say I have a website named example.com hosted here in DO. Currently, I am redirecting all www urls to non-www equivalent. So if a request comes at www.example.com the server will redirect it to example.com.

Now I want to use SSL on my site. My question is do I have to buy separate SSL certs for www and non-www version of the domain ?

Thanks :)

1 comment
  • Most certificate and hosting companies (DigitalOcean included) will cover example.com and www.example.com on the same certificate. In most cases, these are on the same server, with the same IP address. Guided by DNS configuration, the server distributes requests for any-name.example.com.

    Beware of your DNS configuration, especially with respect to mail servers. The world would like to see a one-to-one relationship in forward (name to IP) and reverse (IP to name) lookups. Somewhere in DNS is an SPF record that says host x.x.x.x has authority to send mail on behalf of mail.example.com.

    Covering xyz.example.com is another matter, requiring either a separate certificate or a wildcard certificate.

    I have a cPanel, CentOS7, VPS account. I cover my VPS server server.example.com with a certificate; I use a certificate client.com to cover http requests to client.com aka www.client.com.

    I declare smtp.client.com and mail.client.com in DNS. Technically, I should be able to declare mail.client.com and smtp.client.com as servers. Occasionally, I run into trouble and now make sure to claim smtp.example.com as my mail server.

4 Answers
hansen May 30, 2017
Accepted Answer

Hi @ozwiz

Most certificate providers will give you www.example.com for free, when you buy example.com

But you can get free signed certificates with Let's Encrypt.
You can follow the tutorial depending if you're using as web server.
Apache: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
Nginx: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

In this tutorial, we will show you how to use Let's Encrypt to obtain a free SSL certificate and use it with Nginx on Ubuntu 16.04. We will also show you how to automatically renew your SSL certificate. If you're running a different web server, simply follow your web server's documentation to learn how to use the certificate with your setup.
  • @ozwiz

    As a general note, Let's Encrypt doesn't support WilCard SSL Certificates and may not ever, so if you absolutely need a WildCard SSL Certificate, right now, the only way to obtain one is to buy them.

    With Let's Encrypt, you'd pass in the domains using the -d flag, though you need to do it for each variation you need an SSL Certificate for.

  • @hansen Do godaddy provides www for free ? Just asking because their product description page doesn't say anything about this.

    Moreover, I am hesitating to use Let's Encrypt because I don't know whether they are of equal worth as other paid options.

    • @ozwiz

      Unless you need special certificates like WildCard, EV, UCC or SAN, then Let's Encrypt is exactly equal to the regular certificates.

      I put more trust in Let's Encrypt than any of the current certificate providers - and they're backed by some of the biggest companies in the world.

      Certificates are about trust and since Let's Encrypt is based on open validation and everything is done by computers, then they are more trustworthy than Symantec, StartSSL and others that has lost the trust (and revoked from many browsers).

      Again, it's free for you to test with Let's Encrypt - if you don't like it, you can revoke the certificate and buy a certificate.

      I cannot find any information on GoDaddy if www. is included in their cheapest certificate. You probably need to contact their support.

      On the domains where I needed WildCard, I've been using AlphaSSL, which I've bought via ssl2buy.com - they also sell regular certificates for less than $10.

      But as of this year, I've been using Let's Encrypt primarily - and I cover about 80 domains with several sub-domains.
      If Let's Encrypt goes belly up or has a major breakage, then I can just go and buy certificates.

      • @hansen

        Thanks for the detailed answer :)

        As you know, I am redirecting all my urls www urls to non-www equivalents. So, What If i only apply SSL to only non-www domain. Is that a problem ?

        One more thing, Is there any way to know which type of cert (DV, EV or standard etc) a site is using ?

        • @ozwiz
          It's generally only a problem if your domain has a lot of history with www..
          Normally I would always recommend using a certificate that includes www. together with the root domain. Then your visitors won't get a warning in case they add the www. before being redirected.

          • Okay, I'm thinking of trying Let's encrypt. Will there be any problem if at a later date I revoke let's encrypt or change SSL cert CA ?

          • @ozwiz Nope, no problems. I've moved to and from Let's Encrypt on some domains. After replacing the certificate, I simply restarted the web server and that was it.

            We've reached the limit of comments in this thread, so if you have any further questions, simply create a new answer in the bottom and use the @ to notify me.

          • Thank you very much :)

        • @ozwiz

          EV = Extended Validation, which is what DigitalOcean uses - and most banks. It's a long process of verifying that your business is actually real and the connection to you domain.

          DV = Domain Validation, or just a regular certificate, is what you can get from Let's Encrypt for free or buy for $10 (or $70 at GoDaddy).

          You can check a certificate via https://www.ssllabs.com/ssltest/ and it'll tell you a lot of details about a certificate.
          And you can use https://crt.sh/ to find the history for any domain by looking the Certificate Transparency list, which every certificate provider is required to use (at least from this year and going forward).

@ozwiz

No you can have SSL certificate for *.example.com or sometimes you might need to specify all the subdomains of your main domain for example you can have one SSL certificate for example.com and for www.example.com.

Hope this helps.

the cost of wildcard ssl cert is very high. Is there any way to get the same behavior using standard SSL ?

  • If you're worried about the cost of a certificate, I suspect all you need is Let's Encrypt, which will give you free certificates to any domains you own. (They don't do wildcard, but they'll issue a certificate that covers multiple domains, or multiple certificates each covering a single domain).

    It won't show the business name next to the lock on the address bar, but it will say secure.

Have another answer? Share your knowledge.