How to do DNS & SSL for sub-domain that doesn't run on Netlify?

Netlify manages the DNS settings of my site (say, “mysite.com”) and its SSL certificate. Now I want to add a sub-domain (such as “test-app.mysite.com”) with an SSL certificate. That sub-domain will belong to a VPS server that runs on DigitalDomain.

So I have two questions that I couldn’t see answered in the Netlify documentation:

  • Is that possible?
  • If so, what DNS records do I need to add at Netlify?
  • If so, how do I get an SSL certificate for that from Netlify?

Thank you!

Regards,
Karsten Silz

Hi Karsten,

These are fun question to read and learn from, so I wanted to ask if the sub-domain will be hosted on a VPS – did you mean Digital Ocean? ( I looked up Digital Domain and found a film company.

I.e. are you trying to have a sub-domain that redirects to another server?

You are right: I meant DigitalOcean, and I’ll run it on a VPS there. To be more precise: A Java Spring Boot application, run through a Docker Compose file. So it’s a completely different server on a non-Netlify IP address. So “mysite.com” goes to Netlify, and “test-app.mysite.com” goes to the VPS on DigitalOcean.

No trouble configuring that here; just add a DNS record in your domain dashboard.

For SSL, we cannot help for non-netlify sites. On digital ocean’s droplet, you can use certbot to manage your own certificate (I use this workflow myself on my own DO droplet where I run some dynamic code that netlify can’t host): https://certbot.eff.org/

Thank you for your post! I managed to add a DNS record.

Things won’t be that easy for my Droplet on DigitalOcean: I’m running the Docker nginx proxy and need to use the “Let’s encrypt” companion container for it.

I gave the “Let’s encrypt” companion container” a quick try but couldn’t get it to work. So I’m trying to use the SSL certificate that Netlify created for me instead. I’m running an nginx proxy in Docker on CoreOS there. That proxy requires the certificate and private key for the domain as files with a .crt and .key extension.

So can I get the certificate and private key for my domain from Netlify? Or do I need to create my own, new SSL key and use that then in Netlify & DigitalOcean? I managed to save the Netlify certificate in Chrome and Windows and convert it to a .crt file. But I’m missing the .key file which I believe is the private key.

Yes, you cannot use our SSL certificate on other systems; it’s not in a format that is exportable and we have no intention to make it so.

You can proxy from us to them instead, and then we’d handle the certificate and the SSL termination automatically.

Understood. Can you please point me to the documentation for that? Thank you!

@ksilz, the documentation about making proxy rules at Netlify can be found here:

@luke I couldn’t get this work in a seamless matter: The SSL address of my Netlify showing, but served under the hood by my VPS server on DigitalOcean. The documentation wasn’t particular helpful to my case, either.

So I gave up and bought a new domain instead over which I have full control. Thank you!

@ksilz, if this is a domain name registered via Netlify, please let us know as we do want to assist with any changes you want to make.

Domains registered through Netlify are not limited by Netlify in any way. If you want to use a domain registered via our service with any third-party (Digital Ocean, Heroku, AWS, etc) you definitely can do this and we are always happy to assist with any questions about this.

I’m reading back over the series of questions and it sounds like there is a domain name either registered with Netlify or using Netlify DNS (for example, mysite.com).

It sounds like you want to have a subdomain of this domain (for example, test-app.mysite.com) which points to a Digital Ocean droplet/VPS/system/etc.

In most cases, this would be done by creating a DNS record which links to the droplet. This would normally be an A record if the droplet is referenced by IP address or a CNAME record if the droplet is referenced by hostname.

The DNS record might look similar to this:

test-app.mysite.com      600      IN      A    192.168.1.1

Regarding SSL certificate for the subdomain, the SSL certificate is controlled by the server responding. If you are directing the subdomain traffic to the Digital Ocean system, then that service will need its own SSL certificate. There is no way to export the SSL certificate from Netlify and use it with a third-party service.

Also, if you want to send us more details about the actual domain names and/or IP addresses at Netlify and Digital Ocean we are happy to help you get that configured.

@luke Thank you for your explanation!

I gave up because I needed a new SSL certificate for my subdomain where the base domain is hosted by Netlify - and has a Netlify SSL certificate. Then it was just easier for me to get a whole new domain name for which I then get the SSL certificate through LetsEncrypt.

@ksilz, if there are other questions about this and/or more we can do to assist, please reply again here anytime.

Hi @luke I’ve ran into the same problem. I have a Django site up and running on a digital ocean droplet with a IPv4 address. I cannot seem to figure out the DNS configurations to make a subdomain of a domain name registered via Netlify point to that IPv4 address. I have tried setting up A record on Netlify DNS, I’ve tried adding digitalocean nameservers to Netlify DNS and I’ve tried playing around with nginx configs. All to no avail. I read somewhere that I might need a virtual host? But I don’t really understand why or what that means.

What I want is simply for subdomain.example.com (of a Netlify Domain) to point to 0.0.0.0 IP (hosted on digital ocean)

1 Like

Hi, @davidlinjiahao, for a domain registered at Netlify (or using Netlify DNS) you should just be able to add an A record.

The only exception is if there is an existing NETLIFY or NETLIFYv6 type DNS record already created for the same name. These NETLIFY/NETLIFYv6 records can only be deleted by our support team. These records types will also prevent creating an A, AAAA, or CNAME record for the same domain name (or subdomains) until they are deleted.

This means if you have a NETLIFY record for foo.example.com, you cannot create an A record for foo.example.com until the NETLIFY type record is deleted. You can still create A records for bar.example.com.

Note, 0.0.0.0 isn’t a valid IP address for an A record and there is more about that here: 0.0.0.0 - Wikipedia

My best guess is that this was just an example though.

Do you need us to delete NETLIFY/NETLIFYv6 records for your domain? If so, which records should we delete?

Please note, it isn’t possible for Netlify to configure SSL on the server running at the IP address you point the subdomain to. We can only provide SSL for sites hosted at Netlify. For sites hosted elsewhere, you will need to get your own SSL certificate for those systems.

If there are other questions about this, please let us know.