401 access error on pages only through www subdomain (verified!)

I set up a new domain and www subdomain to point to the gitlab pages for my group, by following the instructions For both root and subdomains. When I access the page through the root domain, it works. However, when I access it through www subdomain, I get a 401 access error. Different from some other questions on this topic, both root and subdomains are verified.

Moreover, if I use “telnet www.nonnegativ.com 80” and enter,
GET / HTTP/1.1
host: www.nonnegativ.com
then I get a 302 redirect to the error page.

However, if I use “telnet www.nonnegativ.com 80” and enter,
GET / HTTP/1.1
host: nonnegativ.com
then I get the correct page.

So the CNAME is working correctly, but gitlab seems to be refusing access based on the specified host in the HTTP header, despite the www subdomain having been verified and added as a domain to the Pages configuration.

Not sure what else to try and fix it. It’s particularly annoying because it seems that when I type the root domain in Firefox, Firefox automatically and unhelpfully adds “www.” to the front, making my page appear to not work at all.

One thing I’ll note, is that I left the automatic Let’s Encrypt turned on, and it is currently waiting for a certificate for more than a day, so I am not sure if that contributes to the problem and will fix itself when the certificate is available, but it seems the root domain access works fine so I don’t think that’s at play.

Edit: I should mention, project visibility is set to Public, and Pages is set to Everyone With Access.

It appears to be working now without intervention, however on inspection I see that my Let’s Encrypt certificates are active. I guess it was due to SSL after all.

edit: weirdly, I just noticed that now it does work through HTTP, but not through HTTPS, so even though it was waiting for SSL, it appears that SSL does not work. Very confusing. I am now changing the DNS entry from CNAME to A so that the SSL certificate is associated directly with the hostname, I will see if that fixes it.

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for www.nonnegativ.com. The certificate is only valid for the following names: *.gitlab.io, gitlab.io

Okay I notice that my SSL certificate has only come in for one of my subdomains that I added more recently, the others seem to be blocked, perhaps I will re-initiate the process.