SSL Coverage: Site is not Secure Warning in Browser

If you are receiving an SSL warning in your browser when visiting your Club URL, please ensure that you are visiting your site without www in front of it.

Google chrome automatically adjusts your address bar view without www so you'll need to click inside your address bar to check.

In the earlier stages of the internet, www used to be required in order to browse the net. Now, in modern times, it's purely aesthetic and exists as a "subdomain". Where your Top Level Domain, or TLD for short, is actually your normal URL without www in front of it. www is being phased out accross the globe as an industry standard because it is antiquated method of browsing the web.

Why does this matter? Well because of SSL coverage.

At Membersplash, we're pleased to offer free SSL certification through LetsEncrypt as part of our platform integration. However, LetsEncrypt (the SSL Certificate issuer) imposes limits on the number of SSL certificates that can be issued per IP address. Regrettably, due to these restrictions and those of our hosting platform, we're only able to provide SSL coverage for Top-Level Domains (TLD).

Unfortunately, this means we cannot extend SSL coverage to subdomains, including the commonly used www subdomain (e.g., www.[exampledomain.com]). It's worth noting that the industry trend is moving away from using www prefixes, see: https://dropwww.com/why.

Nonetheless, we understand that this limitation may inconvenience users accustomed to typing www in their browser.

To address this issue, we recommend informing your users and letting them know the best way to reach your site is by typing the domain in the browser without the www.

Additionally, we suggest taking steps to ensure that any SEO-related links in search engines reference your URL without the www prefix.

For those of our customers who are wondering why and wanting more details about this, we're happy to provide further clarification regarding the SSL limitations, as it's a somewhat paradoxical situation.

The answer to this question is the combination of our hosting platform constraints and Let'sEncrypt Limitations.

Our hosting platform faces constraints that prevent us from issuing Wildcard SSL certificates for our clubs domains, which would otherwise cover the www subdomains within our Multi-Site network. This limitation stems from Let's Encrypt's SAN and Issuance policy (https://letsencrypt.org/docs/rate-limits/) , which allows up to 100 names per certificate / IP Address. Unfortunately, our current hosting platform only permits the use of one certificate per application.

Once this certificate slot is utilized, we're unable to add additional certificates for different domain names alongside the Let’s Encrypt SSLs. Consequently, this eliminates the possibility of installing custom domain SSL certificates for our customers in conjunction with the FreeSSL option. We would either have to force ALL of our customers to purchase a dedicated and custom SSL or we can offer them the free option (with it's limits) and this is the path we chose.

Although we could technically issue wildcard SSLs and reach the cap, even if we were to issue those wildcard certificates (we’ve tested this) due to the current hosting platform constraints, we lack sufficient domain slots per application to accommodate this. We've reached out to our host about this and they've informed us that there is no possible workaround.

We do have future plans to explore alternative hosting providers as part of our platform expansion efforts. However, it's important to note that this is a significant undertaking, and as of now, we don't have an estimated time of arrival (ETA) for this initiative. There is still much to be considered and our priority is supporting our current customers within the current infrastructure and improving Membersplash.

Rest assured, improving the hosting platform is a priority for us, but it's a complex process that requires careful planning and execution and even once the decision is made and the plan is in place, it's not something that would have immediate impact here.

Therefore, we appreciate your understanding in this matter, considering the current available options for SSL, and the industry standards regarding www ( https://dropwww.com/why ). Thank you for your understanding and support. We are here to help answer any additional questions you may have.

If you are not using the www version of your domain, have tried clearing your cache and opening a new browsing session and are still getting the not secure warning when visiting your URL, please Open a Ticket with our Support. We are happy to help!