welcome to WebmasterWorld [webmasterworld.com], karlsult7!

what have you tried so far?

I tried lots of different .htaccess code:

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://www.mydomain.com/$1 [R=301,L]

RewriteCond %{HTTP_HOST} ^mydomain.com$
RewriteRule ^(.*)$ https://www.mydomain.com/$1 [R=301,L]

and this:

RewriteCond %{HTTP_HOST} !^www\. [NC,OR]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [R=301,L,NE]

and this

RewriteCond %{HTTP_HOST} ^mydomain.com$
RewriteRule (.*) https://www.mydomain.com$1 [R=301,L]

and a few more.

Of course in these code I replaced mydomain.com with my actual domain name.

I contacted my hosting account where I bout the ssl via live chat about 10 times, they don't know. Now I emailed them perhaps
on live chat they don't do technical support.

Thanks

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://www.mydomain.com/$1 [R=301,L]

RewriteCond %{HTTP_HOST} ^mydomain.com$
RewriteRule ^(.*)$ https://www.mydomain.com/$1 [R=301,L]

this is closest to what you want.

i would modify this by combining the two into one ruleset and stating the hostname test as "not exactly canonical":

RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

in most cases this should be the last external redirect and should be placed before any internal rewrites.
the ()? or the [NC] may or may not be necessary on your server but it can't hurt.

I added it on top, this is my .htaccess file, for me if I go to my website https://example.com it still does not redirect to the www version, it just certificate error.

# BEGIN WpFastestCache
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
# Start WPFC Exclude
# End WPFC Exclude
# Start_WPFC_Exclude_Admin_Cookie
RewriteCond %{HTTP:Cookie} !wordpress_logged_in_[^\=]+\=jcksrl
# End_WPFC_Exclude_Admin_Cookie
RewriteCond %{HTTP_HOST} ^www.example.com
RewriteCond %{HTTP_USER_AGENT} !(facebookexternalhit|WhatsApp|Mediatoolkitbot)
RewriteCond %{REQUEST_METHOD} !POST
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !(\/){2}$
RewriteCond %{REQUEST_URI} \/$
RewriteCond %{QUERY_STRING} !.+
RewriteCond %{HTTP:Cookie} !wordpress_logged_in
RewriteCond %{HTTP:Cookie} !comment_author_
RewriteCond %{HTTP:Cookie} !wp_woocommerce_session
RewriteCond %{HTTP:Cookie} !safirmobilswitcher=mobil
RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC]
RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/all/$1/index.html -f [or]
RewriteCond /home3/santu2qw/public_html/example.com/wp-content/cache/all/$1/index.html -f
RewriteRule ^(.*) "/wp-content/cache/all/$1/index.html" [L]
</IfModule>
<FilesMatch "index\.(html|htm)$">
AddDefaultCharset UTF-8
<ifModule mod_headers.c>
FileETag None
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Mon, 29 Oct 1923 20:30:00 GMT"
</ifModule>
</FilesMatch>
# END WpFastestCache
# BEGIN GzipWpFastestCache
<IfModule mod_deflate.c>
AddType x-font/woff .woff
AddType x-font/ttf .ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf
</IfModule>
# END GzipWpFastestCache
# BEGIN LBCWpFastestCache
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|webp|js|css|swf|x-html|css|xml|js|woff|woff2|ttf|svg|eot)(\.gz)?$">
<IfModule mod_expires.c>
AddType application/font-woff2 .woff2
ExpiresActive On
ExpiresDefault A0
ExpiresByType image/webp A2592000
ExpiresByType image/gif A2592000
ExpiresByType image/png A2592000
ExpiresByType image/jpg A2592000
ExpiresByType image/jpeg A2592000
ExpiresByType image/ico A2592000
ExpiresByType image/svg+xml A2592000
ExpiresByType text/css A2592000
ExpiresByType text/javascript A2592000
ExpiresByType application/javascript A2592000
ExpiresByType application/x-javascript A2592000
ExpiresByType application/font-woff2 A2592000
</IfModule>
<IfModule mod_headers.c>
Header set Expires "max-age=2592000, public"
Header unset ETag
Header set Connection keep-alive
FileETag None
</IfModule>
</FilesMatch>
# END LBCWpFastestCache

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
# Use PHP71 as default
AddHandler application/x-httpd-php71 .php
<IfModule mod_suphp.c>
 suPHP_ConfigPath /opt/php71/lib
</IfModule>

Thanks

[edited by: phranque at 1:00 pm (utc) on May 19, 2018]
[edit reason] Please Use example.com [webmasterworld.com] [/edit]

if I go to my website https://example.com it still does not redirect to the www version, it just certificate error

that's not a mod_rewrite problem.
when you request a url starting with https: the browser does the secure (TLS) handshake before the request is sent to the server.
you have to get your secure certificate problem figured out with your host first.

Make sure to redirect http://example.com to https://example.com before https://www.example.com

[edited by: not2easy at 4:04 pm (utc) on May 19, 2018]
[edit reason] Please. Use example.com Please. [/edit]

Make sure to redirect

Using mod_rewrite, it can and should be done in a single step, hence the two [OR]-delimited conditions.

Also, be sure to read the boilerplate about using “example.com”. There’s a reason for it. In some cases, like the present one, two reasons.

There are other Rewrite Rules after the canonical, inserted by WP plugins. The canonical should be the last rule before that ending WP snippet. I would consult the host as phranque suggested and make certain that the WP Settings file is also updated.

that's not a mod_rewrite problem.
when you request a url starting with https: the browser does the secure (TLS) handshake before the request is sent to the server.
you have to get your secure certificate problem figured out with your host first.

This means I need 2 ssl certificates, one for the www version, which I already have and another one for the non www version. Correct?

Thanks

You should not be able to access the non www version if you have properly applied a 301 rewrite to the http non-www version. If you can visit http://example.com that means that your rewrite rule is not being applied. This can happen if it is the first of several rewrite rules. It can also happen if the Settings file has not been updated to show the correct URL for your preferred domain with the new protocol.

Make sure to redirect http://example.com to https://example.com before https://www.example.com

Using mod_rewrite, it can and should be done in a single step

^^^this...^^^

There are other Rewrite Rules after the canonical, inserted by WP plugins. The canonical should be the last rule before that ending WP snippet.

the hostname canonicalization redirect should occur before both the /wp-content/cache/ internal rewrite and the standard WP rewrite snippet.

You should not be able to access the non www version if you have properly applied a 301 rewrite to the http non-www version.

you need to access the non-www server in order to respond with the redirect to www.

You should not be able to access the non www version if you have properly applied a 301 rewrite to the http non-www version.

I should clarify - what I meant by accessing the http non-www version was actually viewing or landing on that URL as a destination.

you need to access the non-www server in order to respond with the redirect to www

I think the idea was that if someone requests http://example.com, you redirect them to https://www.example.com. If they're requesting https://example.com out of the blue, when your site has always used www (and, until recently, was http) ... well, then they're intentionally requesting a nonexistent form of the sitename and they deserve everything they get. Or don't get, as the case may be. So far, people--or robots--don't just walk in and request https without first trying http.* In a few years' time, they probably will.

Do example.com and www.example.com really require paying for two separate certificates? I thought it was another of those situations where with-and-without www are treated as the same thing unless you've given specific instructions to the contrary. The free ones from Let's Encrypt definitely cover both forms; I don't have two separate certificates for each HTTPS site.


* My test site affords a crude but useful metric: the http logs are typically at least twice the size of https logs, because that's where the blocked robots are coming in.

It may seem that way. Why do an extra redirext? It's the proper way. Each subdomain is a different "domain" and by 301 redirecting the non www version to [www....] It is saying 301 to my other domain, instead of this host is HTTPS. To avoid the additional redirext, look into using HSTS

www is not a “different domain”. Yes, it is technically possible to set things up so example.com and www.example.com are entirely different sites, living on different servers, administered by different people, serving different content ... but that is not the way the internet works.

I looked up among places actually selling security certificates, which seemed more useful than reading informational articles. (This is not something one hears every day.) The very first place I checked says unambiguously for their baseline certificate “Secures both www.example.com and example.com”. Conversely, there’s a discussion from about two years ago at serverfault dot com [serverfault.com] about whether anything-in-the-world.example.com includes, or should include, example.com (where anything-in-the-world is nothing). It would admittedly be a little ridiculous if you sprang for a wild-card certificate and then still had to buy an additional one for the bare root--but that seems to be some people's reported experience.

[quote]you have to get your secure certificate problem figured out with your host first.[/quote]

Ok I got that solved, I have a multi ssl certificate so I just added the hostname without www like this https:/[smilestopper]/example.com.

Now to redirect all visitors to the https version of the website from any:

http://
http://www

is this .htaccess code correct:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^www.example.com

Thanks

is this .htaccess code correct:

the correct directives are in my second post in this thread...

RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

Thanks a lot.