Domain alias not appearing in SSL cert list

mikeriley131 · May 18, 2020, 6:58pm

I’ve got two domain aliases but only one is showing up in the list of domains for the cert.

kind-booth-f1f950.netlify.app
Default subdomain

Options
www.1dollar1love.org
Redirects automatically to primary domain

Options
www.1dollar1love.com
Domain alias

SSL/TLS certificate
Your site has HTTPS enabled
Certificate
Let’s Encrypt
Domains
1dollar1loveDOTorg, www.1dollar1loveDOTcom, www.1dollar1loveDOTorg
Created
Yesterday at 3:55 PM
Updated
Today at 12:42 PM

perry · May 20, 2020, 3:32pm

hi there, maybe i am misunderstanding, but i see the same site load regardless of .com or .org domain name ending. are you seeing what you expect to seeing?

mikeriley131 · May 20, 2020, 5:29pm

The issue is just with the .com URL with no www.

You get the “Your connection is not private” screen. You can see that for whatever reason that just that domain is not getting added to the list of domains under “SSL/TLS certificate”.

perry · May 20, 2020, 5:30pm

thanks for clarifying, i get it now. I’ll have to wait for someone to chime in who can fix your cert.

mikeriley131 · May 24, 2020, 2:24pm

Just wanted to check in on this to see if anyone has any ideas as to what’s going on here. Thanks.

luke · May 24, 2020, 7:05pm

Hi, @mikeriley131.

We cannot update the SSL certificate to include 1dollar1love.com at time time because of conflicting DNS records.

There are two records found when I do the lookup:

1dollar1love.com.	600	IN	A	184.168.131.241
1dollar1love.com.	600	IN	A	104.198.14.52

The first record pointing to 184.168.131.241 is the issue. This is for an IP address which isn’t at Netlify.

Please delete that record, wait for it to time out (so wait ten minutes), and then click the “Renew certificate” button for the SSL certificate in our web app for this site.

This should resolve the issue. If it does not resolve it or if there are any questions, please let us know.

mikeriley131 · May 28, 2020, 3:07pm

Hi Luke. So I tried doing the same thing with onedollaronelove.com, this time ensuring there is only one A record, pointing to 104.198.14.52, and again, I get onedollaronelove.com listed with the domains for my TLS cert, but not www.onedollaronelove.com. Any idea what’s up this time? In my DNS settings, the CNAME for www is set to @.

mikeriley131 · May 28, 2020, 3:36pm

Disregard last message as this seems to be working correctly now.

luke · May 29, 2020, 2:43am

Hi, @mikeriley131, while it is technically working now, the current configuration isn’t recommended. This is because you are directing all site traffic to a single CDN node, the one using the IP address 104.198.14.52.

The “@” in the DNS record for www is an alias for “this apex/bare/root domain” (which is 1dollar1love.com in this case).

Checking the DNS records, we do see that the “www” subdomain does point to the apex domain:

www.1dollar1love.com.	3599	IN	CNAME	1dollar1love.com.
1dollar1love.com.	3599	IN	A	104.198.14.52

This means the only IP address which will ever be used for this site in for a CDN node close to San Francisco. This is fine if all of you site visitors are in the western U.S.A. You site isn’t using our full CDN with the current DNS configuration.

Even if all your site visitors are on the west coast, we have more than one CDN node near San Francisco. You site could be using multiple servers but, instead, it only uses one. And we never intend for 104.198.14.52 to be the primary server for a site. It just isn’t how Netlify is designed to be used.

Our recommended configuration is found here:

These would be the correct DNS records:

www.1dollar1love.com.	3599	IN	CNAME	kind-booth-f1f950.netlify.app.
1dollar1love.com.	3599	IN	A	104.198.14.52

The second part of the solution here will be to make www.1dollar1love.com the primary domain for this site. This is what then enables multiple CDN nodes to be used. Right now, www is a 301 to the apex domain. This should be changes so that the apex is a 301 redirecting to the www subdomain.

We also cover the reasons for this here:

If you look up the IP address for that domain (kind-booth-f1f950.netlify.app), you will see that many different IP addresses are returned. Here is an example of me testing locally:

$ dig kind-booth-f1f950.netlify.app  +short
138.68.244.143
$ dig kind-booth-f1f950.netlify.app  +short
104.248.78.24
$ dig kind-booth-f1f950.netlify.app  +short
167.172.221.254

Three lookups. Three different IP addresses. If you make www a CNAME pointing to kind-booth-f1f950.netlify.app your site will being using the full CDN.

To summarize, you can keep the current configuration if you want. It is working but not ideally or how Netlify is intended to work.

If you don’t make changes though, you won’t be using our CDN (only a single node) and this is neither a recommended or supported configuration. We do recommend changing the DNS records and primary domain to match the instructions in our documentation.

If there are any questions about this, please let us know.

mikeriley131 · June 2, 2020, 6:52pm

Thank you for the thorough response, Luke. I will make those suggested changes.

Topic		Replies	Views
Secondary Custom Domain Alias not Showing on SSL Cert Support netlify-dns-https-ssl	14	1920	August 20, 2020
Certificate for domain alias is not working properly Support netlify-dns-https-ssl , netlify-newbie , redirects	5	1428	February 12, 2020
Issues with subdomain SSL & Redirects - already using wildcard cert and wildcard added to account Support netlify-dns-https-ssl , redirects	1	471	September 23, 2020
Redirect domain alias certificate issue Support netlify-dns-https-ssl	4	1796	July 26, 2021
Request - Enabling SSL on Subdomains Support netlify-dns-https-ssl	6	735	August 21, 2022

Domain alias not appearing in SSL cert list

Related topics