Secure www to Secure NON www

Question

Hello all.. Here is my conundrum.. I need to be able to redirect a https://www.domain.com request to https://domain.com.  I have an irule in place and it's working, however the enduser receives a cert warning when the redirect happens saying that the "www" is not valid because the cert is not for that domain name.  Though the end user can continue on by accepting the warning message the customer does not want this to be prompted, don't really blame them.  Anyway I thought my problem was the iRule and found out, in a different post, that the SSL handshake happens before the irule goes into effect so my irule redirect is correct.  Originally we were using a wildcard SSL cert on this site's VIP "*.domain.com", however I've since gotten the actually domain.com cert, installed it in the LTM, setup the Client and Server SSL profiles and assigned those profiles to the VIP.  But the end user receives the same message.  The back end server is IIS, actually a SharePoint 2010 farm.  I've also changed the binding in IIS to use the domain specific cert vs the wildcard, but when the redirect happens to the non WWW they get a cert warning saying it's requesting a non www on a www cert.  Make sense?  I'm at a loss at this point, any suggestion on what I might be missing here?&nbsp;
Thanks,
Bob &nbsp;

kevin_stewart · Answer

None of the server side SSL should handshake stuff will be visible to the client, unless the BIG-IP and server cannot successfully negotiate SSL. The error that the client is seeing is most likely because the subject of the certificate presented to the client during its handshake with the BIG-IP is not that same server name that the client asked for. There's very little you can do to mitigate this other than getting a server certificate that matches the name the client is using.

bob_10976 · Answer

Thanks again Kevin..&nbsp;

austin_geraci · Answer

Is moving back to the wildcard cert an option, maybe at least in the interim? Otherwise like Kevin said, you'll need to get a new cert with the correct subject..&nbsp;

bob_10976 · Answer

They are currently using the wildcard.. I'm looking into a different cert with the correct subjects.  Thanks&nbsp;

jrahm · Answer

if you have both certificates *.domain.com and domain.com, you can use TLS-SNI to switch ssl profiles and this error will be invisible. This of course requires that all your clients honor tls-sni, which most do, though a notable exception is any IE version on XP.

Forum Discussion

Secure www to Secure NON www

6 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Single LTM with multiple GTM domains

Question about adding VEs to existing physical appliance device group without ASM licenses

2026 301a exam

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

What is the best practice for migrating from iseries to rseries?

Related Content

Quarterly Security Notification October 2025

Positive Security vs. Negative Security: A Comparison Using F5's Security Portfolio

BIG-IP security hardening and compliance checks

What is Shape Security?

HTTP Multipart and Security Implications

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS