How to Properly Configure Nginx HTTPS Redirects from Old Domain to New Domain Without Certificate Errors


2 views

When migrating domains with HTTPS enforcement, a common pitfall is creating redirects that trigger certificate warnings. This occurs because:

  • The old domain's SSL certificate is either expired or not present
  • Nginx attempts SSL handshake before processing redirect rules
  • Browser security policies block mixed-content scenarios

Here's the proper way to handle this in your Nginx configuration:

# Old domain configuration - must maintain valid SSL certificate
server {
    listen 443 ssl;
    server_name www.myolddomain.se myolddomain.se;
    
    # Maintain old SSL certificate during transition period
    ssl_certificate /path/to/old_domain.crt;
    ssl_certificate_key /path/to/old_domain.key;
    
    # Permanent redirect with URI preservation
    return 301 https://www.mynewdomain.se$request_uri;
}

# HTTP to HTTPS redirect for old domain
server {
    listen 80;
    server_name www.myolddomain.se myolddomain.se;
    return 301 https://www.myolddomain.se$request_uri;
}

Three critical elements often missed:

1. Maintain old SSL certificates during transition
2. Explicit 443 port declaration for HTTPS
3. Proper server_name matching with/without www

For complex migrations:

# Redirect specific paths with regex
location ~ ^/legacy-path/(.*)$ {
    return 301 https://www.mynewdomain.se/new-path/$1;
}

# Preserve query parameters
if ($args) {
    return 301 https://www.mynewdomain.se$request_uri?$args;
}

Always verify with:

  • sudo nginx -t (configuration test)
  • curl -vI https://www.myolddomain.se (header inspection)
  • SSL Labs test (https://www.ssllabs.com/ssltest/)
  • Forgetting to renew old domain certificates
  • Missing www/non-www variants in server_name
  • Chain certificate issues (ensure fullchain.pem is used)
  • DNS cache issues during testing

When migrating domains with enforced HTTPS, the main challenge isn't just the redirect itself - it's maintaining security during the transition. The certificate error occurs because Nginx attempts to establish an SSL connection before processing the redirect, but the old domain's certificate is either invalid or unavailable.

Here's the full server block configuration you need for both HTTP and HTTPS traffic:

# HTTP to HTTPS redirect for old domain
server {
    listen 80;
    server_name myolddomain.se www.myolddomain.se;
    return 301 https://www.mynewdomain.se$request_uri;
}

# HTTPS handling with proper certificate
server {
    listen 443 ssl;
    server_name myolddomain.se www.myolddomain.se;
    
    # Keep the old SSL certificate active during transition
    ssl_certificate /path/to/old_domain.crt;
    ssl_certificate_key /path/to/old_domain.key;
    
    # The actual redirect
    return 301 https://www.mynewdomain.se$request_uri;
}

1. You must maintain the old SSL certificate during the transition period (typically 30-90 days)
2. The $request_uri preserves query strings and paths
3. Both naked domain and www subdomain should be handled
4. The 301 status ensures SEO value passes to the new domain

For more complex migrations where you need to preserve specific paths or parameters:

server {
    listen 443 ssl;
    server_name myolddomain.se;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    location /special-page {
        return 301 https://www.mynewdomain.se/new-special-page;
    }
    
    location / {
        return 301 https://www.mynewdomain.se$request_uri;
    }
}

After implementation, verify with these commands:
curl -I http://myolddomain.se
curl -Ik https://myolddomain.se
Both should return 301 status with Location header pointing to the new domain.