HTTPS redirection with Nginx & Let’s Encrypt from root domain (apex or naked) to ‘www’ subdomain

EDIT: I don't recommend anymore to follow this article. Using for 2 years the Ansible script below it seems that the certificat renewal is not working properly. We finally migrated the DNS handling to route53 without downtime following this article https://lobster1234.github.io/2017/05/10/migrating-a-domain-to-amazon-route53/. My worry about downtime was unfounded and the manipulation is super simple.

Reality is sometime hard to admit: in 2017 there is still no way to add a CNAME record to a root domain. It is all the more annoying that cloud solutions are more and more used. Today, a common scenario would be to put a landing page in an AWS S3 bucket (or equivalent) with a CloudFront distribution in front of it and add a record to let the domain name pointing on the distribution. This is unfortunately not possible.

My first try was to use the forwarding feature available on godaddy.com. It was working well for the HTTP forwarding but not for HTTPS.

The most complete explanation I found with an exhaustive list of workarounds is here:

https://stackoverflow.com/questions/16533341/https-redirect-from-root-domain-i-e-apex-or-naked-to-www-subdomain-withou#answer-16533725

I could have transfered the domain name to Amazon Route 53 and follow this solution http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-cloudfront-distribution.html but I was worrying about down time.

Although the stackoverflow answer recommends to “Use a DNS host that allows you to set an alias” I couldn’t find how to do this and decided to setup my own forwarding server.

It takes around 10 minutes to setup with the following steps:

1. Get a server instance with an IP (I created the cheapest AWS EC2 instance but an even cheaper solution would be to create a VPS on OVH for example). My instance is a Ubuntu 16.04 Server and the following steps are only tested on this server. The next steps are from your host, not from this server.
2. Install Ansible (http://docs.ansible.com/ansible/latest/intro_installation.html): pip install ansible (you can use another tool to install Nginx & Let’s Encrypt. You’ll have to adjust the configuration files)
3. Clone this repository: https://github.com/lalalilo/https-nacked-to-www
4. Adjust the variables in inventories/production
5. Add a A record to @ with the IP of your server in your domain registrer (you’ll have a few seconds of downtime. This step should be done before step 6 so that Let’s Encrypt can perform its challenge)
6. Run the playbook: `ansible-playbook playbook.yml -i inventories/production`

This will install Nginx and Let’s Encrypt on the server and redirect https://example.com to https://www.example.com.

You liked this article? You could consider joining our ever-growing tech team! https://www.lalilo.com/jobs.html