Netlify + Wildcard domains + Cloudflare

Hello,

We’ve been using Netlify for quite a few years now, and for the most part it’s been very good to us. We’re excited for Netlify to have raised their Series C funding and look forward to see what else Netlify will deliver in the future. :+1:

One of the only hurdles we currently still face, is the fact that we cannot seem to use a wildcard domain for our app in combination with Cloudflare and Netlify.

Due to multi tenancy and custom subdomains, and increased customer growth, a wildcard domain is becoming essential for us because manually adding subdomains and constantly re-issuing the certificate is not scalable.

We need to decide if we stay with Netlify or move to another build/hosting solution that will enable us to have wildcard domains, so this is a last attempt to hopefully figure out a solution that will allow us to stay with Netlify.

We will happily switch to the Pro plan today if a solution to this problem can be found. We have read all the support articles about this topic, and been in touch with Netlify support about this problem several times in the past.

Current setup

  • Cloudflare is our DNS management, domain registrar and CDN for several S3 buckets
  • We also use Cloudflare extensively for other features, like custom firewall rules to block certain requests and countries, DDoS protection, etc.
  • Netlify is used to build and host our app front-end.
  • Cloudflare is configured with CNAME records pointing to Netlify and using DNS only (grey cloud) as required.

This is working great, all unknown subdomains are redirected to Netlify, and provided the custom domain is registered there, it will pick it up and serve our app.

Problem
The problem is that we still have to manually add new subdomains to the list of custom domains and then wait for a new certificate to issue.

We would like to enable wildcards for our domain in Netlify, so that anything.helloclub.com (except www) will serve our app.helloclub.com site.

Last time we checked (mid-late 2019), support told us this was not possible without transferring our DNS management to Netlify.

Due to our reliance on Cloudflare for other features, which Netlify doesn’t offer and is unlikely to offer in the future, abandoning Cloudflare and moving our DNS over to Netlify is not an option.

As far as I understand, the problem is related to certificates, and Netlify can’t issue wildcard certificates for some reason without having control over the DNS.

Question
Is there a way, now in 2020, to enable wildcard support in Netlify for our domain, while keeping Cloudflare as our DNS management tool?

Or alternatively: is there a way to move our DNS management to Netlify so we can enable wildcard domains, while keeping the benefits of Cloudflare for our other subdomains?

If not: what are the current technical limitations preventing this, and are there plans to overcome these later this year (perhaps with the new $53M cash injection :smile:)?

1 Like

Hey Adam, long time no see! Missed chatting with you in the helpdesk this past while and wasn’t sure you were still around :slight_smile:

I don’t think you heard right what we said - we don’t have to host your DNS; but you do have to provide a wildcard SSL certificate for *.yourdomain.com in that case. Yes; we cannot issue the cert; certainly you can use your own though!

There is a feature for wildcard domains that should work with that setup (we automatically serve *.yourdomain.com for a single site with no further config; it does have some prerequisites:

Wildcard subdomains aren’t enabled by default and can only be enabled from our end. There are a few requirements before we’re able to do so:

  1. Either you have to use Netlify DNS so we can get you a wildcard SSL cert, or you must bring a custom wildcard certificate - so in your case you’d have to purchase and provide one, but that should be cheap (~$50. Cloudflare’s certs are not usable off of cloudflare)
  2. We can only do this for a site that’s on a Pro team

Also note:

  • You can’t use domain aliases on the site with Wildcard subdomains enabled, just the bare domain and subdomains under your primary domain. If you try to add a domain alias then it won’t work.
  • The primary custom domain for the site, if it is a “site.com+www.site.com” setting in our UI, must be www.site.com and NOT site.com!

If that sounds like it would work, we can get you configured once you go Pro.

Hi Chris, good to hear from you again :slight_smile: Yes it’s been a while, but that’s a good sign no? Everything has been running smoothly mostly.

Thanks for your comments. Ok, so from what I understand, it can be done, but I would have to provide my own certificate, and that is currently the only limitation?

A few questions come to mind:

  1. What is holding Netlify back from using Let’s Encrypt to issue the certificate, if you don’t have control over the DNS? Could I not create a TXT record to prove ownership of the domain so that Netlify can then issue the certificates?

  2. Is there a process in place that could automate certificate renewal and upload to Netlify, or would this be a manual action on our end every 3 months?

  3. Will I still be able to have a separate site on Netlify running on our www.helloclub.com domain, while running the wildcard setup on our app.helloclub.com domain?

No problem to switch to a Pro plan. I will create a new team pro account for Hello Club, I assume it’s no problem to switch the relevant sites over to that team once that’s setup.

Ok, so from what I understand, it can be done, but I would have to provide my own certificate, and that is currently the only limitation?

Yup! There are some other finicky bits in the configuration, but I think nothing that would block you:

What is holding Netlify back from using Let’s Encrypt to issue the certificate, if you don’t have control over the DNS? Could I not create a TXT record to prove ownership of the domain so that Netlify can then issue the certificates?

You could create that text record for yourself, and use it, yes. That’s basically what certbot does (and how our automation works too). We have not implemented any feature that would let you control it yourself using our automation + your DNS hosting to get the certificate, though, and it is not on the roadmap to add it. We control DNS, we get wildcard for you; we don’t, we don’t. They cost about $50 if you buy one for a year, so that’s your path forward if you don’t want to manage it more frequently :slight_smile: Or, you could handle it using the free lets encrypt certs every 3 months; you could almost certainly reverse engineer the API calls we use to do it for your own use: [Support Guide] Understanding and using Netlify's API but I do not know anyone who has tried since you’d need programmatic access to rather sensitive data (your private key).

Will I still be able to have a separate site on Netlify running on our www.helloclub.com domain, while running the wildcard setup on our app.helloclub.com domain?

yup! individually configured hostnames on other sites override the wildcard which is more like a “catch everything else” than a “catch all”.

Finally,

I assume it’s no problem to switch the relevant sites over to that team once that’s setup.

Indeed, if you own the sites on the free team and are an owner on the new team, here’s how you’d move them between teams: Team-owned sites | Netlify Docs

No other hostnames (something.otherdomain.com) can be applied to that site.

I see, we do currently use that (some customers have custom domains). What would be an acceptable solution to this? Duplicate the site, connect it to the same repository, and link all custom (other) domains to that other site instead?

yup! individually configured hostnames on other sites override the wildcard which is more like a “catch everything else” than a “catch all”.

Brilliant.

If I go ahead and prepare the sites, setup the new account and hook everything up from our end, will you or someone else from the team be able to check if everything looks in order?

Any expected downtime for our users when the switch is made?

Thanks,
Adam

  1. Yup - two sites/same repo/onewildcard+onewithalistofnames is the workflow for that situation, Adam.

  2. Yes, if you pre-prepare we can confirm correct setup

  3. True, No expected downtime