WWW as default domain stopped working, confused

Our domain should always use www, and this used to work, but something has changed and I can’t figure out how to fix it. Here’s our current setup - which record do I need to change?

Bluehost (registrar)
A @
CNAME initialcloudflare initialcloudflare.kidlit.tv.cdn.cloudflare.net
I cannot add www A records or CNAME records on Bluehost, it gives me an error every time.

Siteground (webhost)
Server IP address:
Let’s Encrypt SSL configured for naked domain kidlit.tv

A kidlit.tv Proxied
CNAME www cloudflare-resolve-to.kidlit.tv Proxied
I used the instructions here (https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/manage-subdomains/#redirect-root-domain-to-a-subdomain) to add a redirect from kidlit.tv to https://www.kidlit.tv, the settings I have for that redirect Rule are:
Custom Filter Expression
When incoming requests match…
(lower(http.host) eq "kidlit.tv")

Then… URL redirect
Type Dynamic
Expression: concat("https://","www.kidlit.tv",http.request.uri.path)
Status Code 301

In SSL /TLS - Edge Certificates I have an Active (green) Universal certificate set up for www.kidlit.tv

Right now, I have to set WordPress to https://kidlit.tv so things will work - if I set it to https://www.kidlit.tv it gives an invalid certificate error. That used to work.

Can you see anything I’m doing wrong here? Thanks for your help!

That sounds fairly straightforward. Add www.kidlit.tv as an alternative name to your LE certificate and it should work.

I can’t edit the LE certificate on Siteground directly - it just lets me add new or delete. I can’t add a www. certificate there.

The Cloudflare www certificate is active and working, but when I set https://www.kidlit.tv as my default domain in WordPress, I get a ‘not secure’ notice.

Based on these Cloudflare settings, when I have WordPress updated to use https://www.kidlit.tv as the default domain, shouldn’t all https:// http:// kidlit.tv traffic redirect there and show a valid certificate?

Ok, I’m a bit confused at your whole setup now.

It seems you are using a Cloudflare CNAME setup for your www subdomain, but are not actually using the Cloudflare proxy?

dig +trace +nodnssec www.kidlit.tv

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> +trace +nodnssec www.kidlit.tv
;; global options: +cmd
kidlit.tv.              172800  IN      NS      ns2.bluehost.com.
kidlit.tv.              172800  IN      NS      ns1.bluehost.com.
;; Received 90 bytes from 2001:dcd:1::6#53(a.nic.tv) in 8 ms

www.kidlit.tv.          14400   IN      CNAME   www.kidlit.tv.cdn.cloudflare.net.
www.kidlit.tv.cdn.cloudflare.net. 60 IN A
;; Received 104 bytes from in 216 ms
dig +trace +nodnssec www.kidlit.tv.cdn.cloudflare.net

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> +trace +nodnssec www.kidlit.tv.cdn.cloudflare.net
;; global options: +cmd
cloudflare.net.         172800  IN      NS      ns1.cloudflare.net.
cloudflare.net.         172800  IN      NS      ns2.cloudflare.net.
cloudflare.net.         172800  IN      NS      ns3.cloudflare.net.
cloudflare.net.         172800  IN      NS      ns4.cloudflare.net.
cloudflare.net.         172800  IN      NS      ns5.cloudflare.net.
;; Received 371 bytes from 2001:503:eea3::30#53(g.gtld-servers.net) in 24 ms

www.kidlit.tv.cdn.cloudflare.net. 300 IN CNAME  cloudflare-resolve-to.kidlit.tv.
;; Received 106 bytes from 2400:cb00:2049:1::adf5:3b1f#53(ns1.cloudflare.net) in 20 ms
dig +trace +nodnssec cloudflare-resolve-to.kidlit.tv

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> +trace +nodnssec cloudflare-resolve-to.kidlit.tv
;; global options: +cmd
kidlit.tv.              172800  IN      NS      ns1.bluehost.com.
kidlit.tv.              172800  IN      NS      ns2.bluehost.com.
;; Received 108 bytes from 2001:dcd:2::6#53(b.nic.tv) in 28 ms

cloudflare-resolve-to.kidlit.tv. 14400 IN CNAME kidlit.tv.
kidlit.tv.              14400   IN      A
;; Received 90 bytes from in 228 ms
dig +short www.kidlit.tv

As the Bluehost nameservers in the first dig gave a Cloudflare IP, I assume you just changed that and the result is still proxied?

Anyway, your server does not offer a valid certificate for www.kidlit.tv:

curl https://www.kidlit.tv -v
*   Trying
* Connected to www.kidlit.tv ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=kidlit.tv
*  start date: Jun 24 22:40:34 2023 GMT
*  expire date: Sep 22 22:40:33 2023 GMT
*  subjectAltName does not match www.kidlit.tv
* SSL: no alternative certificate subject name matches target host name 'www.kidlit.tv'
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.kidlit.tv'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If you want the www subdomain to work, you need a certificate for that domain.

Yes, you cannot edit an existing certificate. Delete the old one and create a new certificate that covers both kidlit.tv and www.kidlit.tv.

According to Cloudflare, I have a Universal Edge certificate set up for www.kidlit.tv that expires 2023-09-06 (Managed).

I don’t think I have the option to add two domains (root and www) to a regular LE certificate on Siteground; I could only do two regular certificates or a LE Wildcard. I’m not allowed to do a wildcard as my DNS isn’t pointed at Siteground, and I can’t do www as it’s not pointed at Siteground and Bluehost gives me no way to do that.

It’s definitely possible that in trying to fix things I’ve made them worse! :frowning: Here’s what I’d like to achieve, if that helps:

  • Have all traffic routed through Cloudflare, and have the https://www.kidlit.tv domain be the primary domain. All https://kidlit.tv traffic should permanently route to www, so that it doesn’t show as duplicated content for Google.
  • I am totally okay moving all DNS to Cloudflare, if that’s what it takes, but I need to be able to keep the MX records pointed at Bluehost. Right now the only MX record in Bluehost is Host Record @, Points to mail.kidlit.tv - which I’m not sure will work once DNS changes to point to Cloudflare, so I’m worried about changing it. :frowning:

If this were to be set up from scratch, what would you recommend?

That only covers connections between the user and Cloudflare. You also need a certificate on your server to secure the connection from Cloudflare to your server.

That would be a limitation by Siteground. LetsEncrypt supports this.

That is correct.

That is incorrect. Whether you proxy the requests or not, they still reach Siteground, though it does require additional configuration in Cloudflare. A Configuration-Rule with an expression like (starts_with(http.request.uri.path, "/.well-known/acme-challenge/")) where you disable Automatic HTTPS Rewrites, Browser Integrity Check and probably a few of the other features as well.
And then a Cache Rule to bypass that path as well if you use Caching.

If Siteground allows you to upload your own certificate, you could also use a Cloudflare Origin Certificate, which only works when the proxy is enabled.

That depends. If you want all traffic proxied to Cloudflare, kidlit.tv needs to point to Cloudflare. With a CNAME setup, this is only possible if your DNS provider supports CNAME flattening. So moving your DNS to Cloudflare is not required if Bluehost supports this.

But as you don’t have a good reason for not moving your DNS to Cloudflare, it is probably a much easier solution. You can simply copy your existing Bluehost email records and add them in Cloudflare if they are not imported automatically. Those records usually are MX, TXT (SPF), TXT (DKIM) and TXT (DMARC).

Then, you would have to either create the Rules I mentioned to allow ACME challenges to reach your server and then create a certificate for www.kidlit.tv on Siteground, or use a Cloudflare Origin Certificate. The Origin Certificate is probably easier if Siteground allows you to upload your own certificate.

Next, you would create a Redirect Rule in Cloudflare to redirect kidlit.tv to www.kidlit.tv and you’re basically done.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.