HSTS error with letsencrypt on redirects

A while ago I forced HTTPS on our server using certificates from letsencrypt.

Redirect does not work
Then I encountered that all the subdomain redirects don’t work anymore. I created some redirects (e.g. blog.mordsgau.dehttps://mordsgau.de/blog) using the web-interface from our server-provider.

HSTS Error
The problem occured in chrome after a while in Chrome (and also in Firefox with HTTPS-everywhere Add-On): Chrome did not foreward to the HTTPS-site but only displayed this error:

You cannot visit blog.mordsgau.de right now because the website uses HSTS.

What is HSTS?
HTTP Strict Transport Security (HSTS) helps to protect websites against protocol downgrade attacks and cookie hijacking (for more Info read the Wiki-article).

What caused the HSTS error?
I simply used the wrong redirect method.
On default, the redirects by our server where implemented by redirecting to our server-provider and then redirect to the site.
With HSTS this method does not work, because the IP of the server changes (server-provider → mordsgau.de) but the certifcate (for mordsgau.de) stays the same.

How to solve the HSTS error?

  1. Ensure there is a certifacte for the subdomain (e.g. in the alternate names of the cert).
  2. Next changed the redirect method in the web-interface of your server-provider to point to your server instead of letting your provider manage the redirect. I used DNS-A. Check if this works by pinging your subdomain – it should display the IP of your server.
  3. Then redirected the subdomain to the desired URL using an apache vhost or the htaccess file.



This is the DNS-Entry for this blog:

blog                     IN A # The IP of mordsgau.de


And this is the apache2 site config (/etc/apache2/sites-available/wordpress.conf) I use for this blog.
My configuration forces HTTPS and redirects all requests to HTTPS (so you can’t access this blog non-encrypted with HTTP).

# Redirect all HTTP requests to mordsgau.de to https://mordsgau.de

<VirtualHost *:80>
  ServerName blog.mordsgau.de
  DocumentRoot /var/www/html/wordpress
  Redirect permanent / https://blog.mordsgau.de/

<IfModule mod_ssl.c>
<VirtualHost *:443>
  Header set Access-Control-Allow-Origin "*"
  ServerName blog.mordsgau.de

  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html/wordpress
  <Directory /var/www/html/wordpress>
    AllowOverride All

  ErrorLog ${APACHE_LOG_DIR}/wp_error.log
  CustomLog ${APACHE_LOG_DIR}/wp_access.log combined

  # LetsEncrypt SSL certs
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/mordsgau.de/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/mordsgau.de/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/mordsgau.de/chain.pem


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.