SSL Redirection: How to redirect with HTTPS

SSL redirection gets complicated when old domains lose their certificates. You set up a 301 redirect from your old HTTPS domain to a new one, and it works fine for months. Then the SSL certificate on the old domain expires, and every visitor hits a browser security warning instead of being redirected. Bookmarks break, search engine rankings drop, and traffic disappears.

This page explains why HTTPS redirects break, how the SSL/TLS handshake creates this problem, and how to redirect with HTTPS using a DNS-based approach that handles SSL certificates automatically.

Key Takeaways

• When an SSL certificate on a redirected domain expires, browsers block the connection before the redirect can execute. Visitors see an error page instead of reaching your new domain.
• Traditional redirect services only handle HTTP traffic. If someone visits the HTTPS version of your old domain, the redirect breaks.
• redirect.pizza automatically provisions and renews Let's Encrypt certificates for every source domain, so HTTPS redirects keep working without manual certificate management.
• Setting up an HTTPS redirect takes three steps: create an account, add your redirect, and update your DNS records. No hosting or server configuration required.
• If you are migrating domains, always use 301 redirects to permanently transfer your search engine rankings to the new domain.

Quick refresher: redirect types

A redirect sends visitors and search engines from an old URL to a new one. The two types you need to know: 301 redirects for permanently moved pages and 302 redirects for temporary moves. Our 301 vs 302 comparison breaks down when to use each type. For a broader overview of how redirects fit into domain management, see our complete guide to URL redirects.

Learn more about Redirects

The benefits of using HTTPS

HTTPS encrypts the connection between a visitor's browser and your website. Most modern websites use it by default, and search engines actively penalize sites that do not. Here is the short version of why it matters:

Why SSL redirects break

HTTPS adds a layer of complexity to redirects that most teams do not anticipate. When you redirect an old domain to a new one, the browser first performs an SSL/TLS handshake with the old domain's server. Only after that handshake succeeds does the server respond with the 301 redirect. If the certificate on the old domain is expired or missing, the browser kills the connection and the redirect never executes.

For a technical breakdown of this process, see Why HTTPS Redirects Break (And How DNS Fixes It).

This is where organizations lose traffic. Search engines still index the HTTPS version of your old domain. Visitors have it bookmarked. Marketing materials and backlinks still point to it. When the SSL certificate expires, all of those links turn into browser error pages instead of redirecting to your new domain. Search engines will eventually drop those URLs from their index, taking your ranking history with them.

"Most teams don't realize the redirect itself requires a valid certificate on the source domain," says Michel Bardelmeijer, Tech Lead at redirect.pizza. "You can have a perfect 301 redirect configured, but if the SSL handshake fails, the browser never even sees it. That is where organizations lose traffic from old domains."

Most traditional redirect services do not issue SSL certificates for the source domain. In the past, a simple DNS "catch all" redirect would work. But now that browsers enforce HTTPS by default, you need a valid SSL certificate on every domain that serves traffic, including domains that only exist to redirect.

Common scenarios where HTTPS redirects fail

Apex to subdomain: Your hosting provider issues the SSL certificate for www.example.com but not for the apex domain (example.com without www). Visitors typing the bare domain hit an SSL error. redirect.pizza handles this automatically and provisions an SSL certificate for the apex domain.

Registrar forwarding limitations: Domain registrars like GoDaddy and Namecheap offer built-in URL forwarding, but their HTTPS support is limited. If you are running into issues with registrar-based forwarding, we have dedicated guides:

GoDaddy forwarding with HTTPS  

Namecheap forwarding with HTTPS

Legacy domain portfolios: After rebrands, acquisitions, or migrations, organizations often have dozens of old domains that still receive traffic. Manually maintaining SSL certificates for each one is expensive and error-prone.

How redirect.pizza solves HTTPS redirection

redirect.pizza is a DNS-based redirect service with built-in Automatic HTTPS. When you add a source domain, redirect.pizza automatically provisions a Let's Encrypt SSL certificate for it. The certificate renews automatically, so your HTTPS redirects keep working indefinitely without manual intervention.

This works differently from server-based solutions like .htaccess or Nginx redirects, which require you to maintain hosting and certificates on the source domain. With redirect.pizza, you point your DNS records to our servers and the redirect is handled at the network level. No web hosting, no server configuration, and no certificate management.

To prevent security issues on your new domain, consider enabling HSTS (HTTP Strict Transport Security), which tells browsers to always connect over HTTPS.

redirect.pizza includes a free tier (Margherita) that covers most use cases. For larger setups, the paid plans support bulk CSV imports, analytics, and API access.

How to implement an SSL/HTTPS redirect using redirect.pizza

Setting up your domain for redirect.pizza is easy. Just follow these three steps and you are good to go:

Type in the old URL or domain that you wanted to redirect and confirm that the redirect is working. The SSL certificate for the source domain will be provisioned automatically within minutes.

Related Guides

• Why HTTPS Redirects Break (And How DNS Fixes It)
• What Are 301 Redirects?
• 301 vs 302 Redirects Explained
• URL Redirects: The Complete Guide

Frequently Asked Questions