Branch Domain SSL for Akita Software Staging

Hi there,

I’d love a branch domain for my site. I only need one domain right now. I hope this means I do not need to create a wildcard record?

My site name is akita-superstar
The domain in question is app.staging.akita.software
The branch is staging

Everything else is working fantastically!

I’m following this guide: [Support Guide] How to use Netlify’s branch deploy feature without Netlify DNS

Here is my dig output:

$ dig app.staging.akita.software

; <<>> DiG 9.10.6 <<>> app.staging.akita.software
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5999
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;app.staging.akita.software.    IN      A

;; ANSWER SECTION:
app.staging.akita.software. 41  IN      CNAME   staging--akita-superstar.netlify.app.
staging--akita-superstar.netlify.app. 1 IN A    167.172.221.254
staging--akita-superstar.netlify.app. 1 IN A    104.248.78.23

;; Query time: 10 msec
;; SERVER: 192.168.2.144#53(192.168.2.144)
;; WHEN: Tue Sep 08 14:56:52 PDT 2020
;; MSG SIZE  rcvd: 137

Thanks much,
–sm

hi, is the subdomain you’d like SSL

app.staging.akita.software

or

staging.app.staging.akita.software ?

your message wasn’t quite obvious and i don’t want to guess

Thanks for the lightning fast follow up @perry!

app.staging.akita.software is the domain I’d like SSL for

If you want app.staging.akita.software to be your branch subdomain, then the primary domain would need to be “staging.akita.software” and you would need to deploy a branch called “app”.

Right now your primary domain is new.app.akita.software (Netlify App). Is that what you intend it to be?

Step 2 in the support guide you linked to has an example which might be helpful to figuring out what you want this to look like. Let us know!

Thanks for the reply and clarification @laura

I was hoping to avoid the staging.app.akita.software scheme because we have a number of subdomains hanging off each environment name. For example, we also host api.staging.akita.software . The idea is to have a scheme like: ..akita.software. Is there a config with Netlify that will support deploying a ‘staging’ branch that is pointed to by app.staging.akita.software ?

If that is not possible I totally understand. And if that is the case, I would love to get a certificate for staging.app.akita.software set up.

Right now your primary domain is new.app.akita.software (https://app.netlify.com/sites/akita-superstar/settings/domain#custom-domains ). Is that what you intend it to be?

It is not! I just tried to change my primary domain to app.akita.software (removing the new) and I get this error message:

We're provisioning a certificate for your site, you cannot change custom domains until that process completes

Is there a lock that can be released so I can change it? Or if it is easier for you to make that change for me, please go for it.

To be clear:

1. I’d love to have the ability to get a cert at app.staging.akita.software
2. If that is not possible, I’d like to get a cert at staging.app.akita.software
3. I’m currently blocked from modifying my primary domain to app.akita.software
4. If it’s easier for you to change it on my behalf, please go ahead!

Thanks so much for the help,
–sm

Hi, @smaher. For our process for manually updating the SSL certificate for branch subdomains, the naming rules must be followed. There is one workaround, however.

You can make a new site for this same repo. For the new site, make the production branch the one in question (like “staging” in this case).

Once that is done, you can assign any custom domain that you want and our support team won’t need to manually update it. You could then have the custom domain app.staging.akita.software assigned and it would be deploying the staging branch. This is the only workaround for this at this time.

If you don’t use the workaround, then the naming rules in the support guide must be followed for the manual process to succeed.

The certificate provisioning has stopped so you can change the custom domains now. Note, you must delete any unused custom domains before SSL certificate provisioning will work. (Meaning, removing new.app.akita.software from any sites as there are no DNS records for that domain name.)

Would making a new site just for this branch be an acceptable workaround?

​Please let us know if there are any questions and/or if this workaround doesn’t work as promised.

Thanks for the reply and working with me, @luke!

Talked with the team and we will just go with the simplest thing that works. Appreciate the workaround, but we don’t need it.

I’ve updated our app domain with Netlify to app.akita.software, and changed our CNAME record. Let’s follow the original Netlify naming rules.

Can we get an SSL certificate for: staging.app.akita.software ?

$ dig staging.app.akita.software

; <<>> DiG 9.10.6 <<>> staging.app.akita.software
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44860
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;staging.app.akita.software.    IN      A

;; ANSWER SECTION:
staging.app.akita.software. 60  IN      CNAME   staging--akita-superstar.netlify.app.
staging--akita-superstar.netlify.app. 20 IN A   167.172.221.254
staging--akita-superstar.netlify.app. 20 IN A   165.227.0.164

;; Query time: 508 msec
;; SERVER: 192.168.2.144#53(192.168.2.144)
;; WHEN: Wed Sep 09 10:30:41 PDT 2020
;; MSG SIZE  rcvd: 163

Thanks again!
–sm

Hi, @smaher, I’m not able to update the SSL certificate because the process tries to provision for all custom domains and fails if even is single custom domain check fails.

I do see the working DNS record for staging.app.akita.software:

$ dig staging.app.akita.software  +noall +answer

; <<>> DiG 9.10.6 <<>> staging.app.akita.software +noall +answer
;; global options: +cmd
staging.app.akita.software. 59	IN	CNAME	staging--akita-superstar.netlify.app.
staging--akita-superstar.netlify.app. 19 IN A	104.248.78.24
staging--akita-superstar.netlify.app. 19 IN A	165.227.12.111

For the primary custom domain (app.akita.software), the DNS record doesn’t point to Netlify so the SSL certificate provisioning fails:

$ dig app.akita.software  +noall +answer

; <<>> DiG 9.10.6 <<>> app.akita.software +noall +answer
;; global options: +cmd
app.akita.software.	599	IN	CNAME	7ae283fe-superstar-reportu-52c9-245783648.us-west-2.elb.amazonaws.com.
7ae283fe-superstar-reportu-52c9-245783648.us-west-2.elb.amazonaws.com. 59 IN A 44.229.4.114
7ae283fe-superstar-reportu-52c9-245783648.us-west-2.elb.amazonaws.com. 59 IN A 35.166.87.65
7ae283fe-superstar-reportu-52c9-245783648.us-west-2.elb.amazonaws.com. 59 IN A 52.34.12.38
7ae283fe-superstar-reportu-52c9-245783648.us-west-2.elb.amazonaws.com. 59 IN A 54.191.166.237

We need both any custom domains and any branch subdomains to have DNS configured and working before we can create the SSL certificate. Behind the scenes, we are using the same API’s that the Let’s Encrypt certbot uses.

Are you not wanting to switch DNS until the SSL certificate is in place?

If so, you can run certbot on whatever system that load balancer is pointing to. This will let you get the SSL certificate from Let’s Encrypt for app.akita.software. You can then upload that to Netlify as a custom SSL certificate and then move the DNS to point to Netlify. The SSL certificate will be the custom certificate you created with certbot.

Then, once that is in place, I can make a new automatic SSL certificate with Let’s Encrypt and our service which also includes the branch subdomain. The new certificate would then be used and we will automatically update it from there.

Alternatively, if you don’t mind the SSL not working for a time, then you can just change the DNS without any SSL certificate and once both DNS records point to Netlify, then we can provision the automatic SSL certificate.

As always, if there are any questions we will be happy to answer. We are happy to proceed with whichever solution you prefer.