I run the SOP creation and implementation website Way We Do. It is a multi-tenanted website in as far as each company that signs up chooses their own subdomain and can customize the branding. During the sign up process, we had to be very clear to the non-technical user exactly what choosing a subdomain was and what it meant. We think we have now minimised the confusion surrounding this but I recently received an email from Google Webmaster Tools adding a twist to the problem:

It appears that even though out users were understanding what choosing a subdomain meant, they couldnt help themselves typing ‘www’ before the reset of their chosen URL. Now even though we own a wildcard SSL certificate for *.waywedo.com, this does not really mean wildcard-as-in-anything-before-the-domain-part. It just means any subdomain name and a sub-subdomain requires a different certificate. Unfortunately the result is a nasty certificate error for any user who unknowingly adds the www on the front of their subdomain.

The fix is fairly easy – a 301 redirect via .htaccess or IIS url rewrite. We use IIS and so this means adding the following to the web.config:

<rule name="Redirect sub-subdomain" stopProcessing="true">
    <match url="(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTP_HOST}" pattern="^www\.(.*)\.YOURDOMAIN\.com$" />
    </conditions>
    <action type="Redirect" url="https://{C:1}.YOURDOMAIN.com/{R:1}" redirectType="Permanent" />
</rule>

As long as a user does not type https before the www, their mistyped url should now be redirected seamlessly to the correct url without the nasty certificate error.