Branch Subdomain and SSL Certificate

Awesome thanks @luke

@joewoodhouse, I’m running into issues updating the SSL certificate and we’ll have another update here as soon as we know more.

I’m also having issues with my subdomain react.dashbud.dev :confused:
Would you mind helping please?

Hi, @jahirfiquitiva, there is an inactive Netlify DNS zone for this domain (dashbud.dev) here:

https://app.netlify.com/account/dns/dashbud.dev

This domain is not using Netlify DNS:

dashbud.dev.		21600	IN	NS	curitiba.porkbun.com.
dashbud.dev.		21600	IN	NS	salvador.porkbun.com.
dashbud.dev.		21600	IN	NS	maceio.porkbun.com.
dashbud.dev.		21600	IN	NS	fortaleza.porkbun.com.

This means the Netlify DNS zone above must be deleted. This can be done using the “Delete DNS zone” button at the bottom of the page linked to above.

Inactive DNS zones do prevent SSL certificate renewals.

Once the inactive zone has been deleted, please let us know and we can get the SSL certificate updated to include react.dashbud.dev. The instructions for domains not using Netlify DNS (like this domain) can be found here:

You don’t need to do anything (except delete the inactive DNS zone).

All the required steps listed in the “[common issue]” topic above are complete already. The only thing blocking our support team from updating the SSL certificate is the inactive DNS zone. Once it is deleted, we can complete the setup of the certificate.

@luke @fool hi folks! Could you add SSL for Branch subdomain dev.pumabrowser.com please?
Thank you!

Hi, @html5cat. We’d be happy to do so. There are a series of requirements that must be met before this is possible as listed in the support guide linked to above.

The second step is: “2. Create the DNS record with your current DNS provider.”

However, the required DNS record doesn’t exist yet:

$ dig dev.pumabrowser.com  +noall +answer

; <<>> DiG 9.10.6 <<>> dev.pumabrowser.com +noall +answer
;; global options: +cmd

There is no answer when the DNS lookup is made. Before we can extend the SSL certificate to cover this domain, the DNS record must be created.

​Please let us know when the record has been created and/or if there are any questions.

Ops, deleted too many things. Added the CNAME back, thank you! Should propagate soon.

You probably heard it a million times, but here’s my favourite haiku:

It’s not DNS
There’s no way it’s DNS
It was DNS

1 Like

Hi, @html5cat, I also see the DNS record now and the SSL certificate has been extended to cover dev.pumabrowser.com. If there is more we can do to assist, please let us know.

1 Like

Thank you so much! :paw_prints:

1 Like

Hi @html5cat . I’ve setup a new site cape-sh.netlify.app with a custom domain of cape.sh and also a branch subdomain on stg.cape.sh. Would it be possible to fix the SSL certificate for stg.cape.sh? Appreciate it.

hi there, we took care of that for you!

Hi @perry, thank you so much for your swift response. Really appreciate it. Stay safe and have a nice day!

Hi @luke,

Is it possible to do the same for toolbox.grandangle2017.fr?

Hey @Spomky,

This domain isn’t a branch subdomain. Rather, it’s configured as the primary domain for the site. I can also see that the certificate was automatically issued! :stars:

Hi,
Sorry I meant to do the same for all branches of this domain (e.g. “develop”).
Also, is it possible to have a wildcard for future branch names ?

@Spomky, there are no branches configured for this domain so there’s not a great deal I can do :frowning:! Similarly, to use our branch domain feature, you’ll need to make use of Netlify DNS.

Pro (and above) users can request a wildcard SSL cert for subdomains via the Admin category here on Community!

I’m experiencing the same situation with develop.web.majoris.app.
I double checked the DNS config, but it seems alright.

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for develop.web.majoris.app. The certificate is only valid for the following names: *.netlify.com, netlify.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Hi, @rsorage, this is the link to the failed certificate authorization attempt at Let’s Encrypt:

https://acme-v02.api.letsencrypt.org/acme/authz-v3/8476832056

It references a CAA issue being the root cause. I expect the root cause is the CNAME on the apex domain which then has CAA records for it:

$ dig +noall +answer majoris.app CAA
majoris.app.		3599	IN	CNAME	rsorage.github.io.
rsorage.github.io.	3599	IN	CAA	0 issue "digicert.com"
rsorage.github.io.	3599	IN	CAA	0 issue "letsencrypt.org"
rsorage.github.io.	3599	IN	CAA	0 issuewild "digicert.com" 

The attempt above is for a wildcard certificate and, as you can see above, wildcards are not enabled for letsencrypt.org in the CAA record. If there are other questions or concerns, please let us know.

Hey Luke, thanks a lot for pointing me in the right direction. Since it is an apex domain, all DNS configuration I needed was already there with the A records. All I had to do was remove the CNAME and hit the renew certificate button. =]

1 Like

Hi Netlify Support,

Could you enable SSL for our branch subdomain, staging.fable.co? Thanks!

Keith Grennan,
Fable Backend Engineer