Nginx redirect http subdomains to https

Question

I have one domain with 3 subdomains:

 - example.com (main domain)
 - api.example.com
 - blog.example.com
 - support.example.com (just a cname to point to zendesk)

And I have this 3 configuration on my Nginx:

api

# HTTP server
server {
    listen       80;
    server_name  api.example.com;
    return 301 https://api.example.com$request_uri;
}


# HTTPS server
server {
    ssl          on;
    listen       443;
    server_name  api.example.com;

    ssl_certificate APIcert.crt;
    ssl_certificate_key APIcert.key;

    #root configuration.....
}

blog

server {
    listen 80;
    server_name blog.example.com;

    root /var/www/blog;
    index index.php index.html index.htm;

site/main domain

server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com;
    return 301 https://example.com$request_uri;

    location ~ \.(php|html)$ {
        deny  all;
    }
}

server {
    listen 80;
    server_name example.com;
    return 301 https://example.com$request_uri;

    location ~ \.(php|html)$ {
        deny  all;
    }
}

server {
    ssl on;
    listen 443 ssl;
    ssl_certificate  mycert.crt;
    ssl_certificate_key  mycert.key;
    server_name example.com;

    root /var/www/frontend;
    .....
}

MY PROBLEM:

• The subdomain api.example is OK!
• The main domain http://example.com and https://example.com is OK!
• If I try to access the main domain with www on HTTP the browser redirect correct to https://example.com. But when I try to access the main domain with www and https, https://www.example.com, the browser try to access the SSL CERT from api.
• And after I try to access the main domain and redirect to HTTPS my other subdomains that doesn't have HTTPS is redirect to https and show error, because they tried to use SSL CERT from api.
• Example: if I try to access http://blog.exemple.com, firefox redirect to https://blog.example.com and show SSL error.
• This is a video showing this problem
• The domain is online, you can test on http://blog.alooga.com.br, http://alooga.com.br

Answer 1

Your web server is setup with Strict-Transport-Security max-age=16070400; includeSubdomains.

This will tell the web browser to request your domain using https only. If you want the subdomain blog to be accessed through insecure http, you will need to remove includeSubdomains from the HTTP Strict Transport Security (HSTS) and use a different browser (or clear your Firefox).

https://www.ssllabs.com/ssltest/analyze.html?d=alooga.com.br

Answer 2

You are getting SSL error messages because you don't have SSL certificate for blog.alooga.com.br domain.

SSL error message for your reference: