NetlifyDNS - branch subdomain cert error

Site name: https docs.armory.io

docs.armory.io is the primary domain, using Netlify DNS.

branch subdomain https v2-0-to-2-19.docs.armory.io - cert error

NET::ERR_CERT_COMMON_NAME_INVALID

browser screenshot: Image 2020-06-22 at 11.38.23

Your site has HTTPS enabled
Certificate: Custom
Domains: www.armory.io, *.armory.io, armory.io

Since our docs site is live, I don’t want to click Update custom certificate or Use Let’s Encrypt certificate without understanding what’s causing the subdcomain cert error.

How do I resolve the subcomain cert error? We will be creating a new subdomain every time we version our documentation (2-3 times/year).

Thanks.

aimee

Hi, @aimeeu, the SSL certificate used doesn’t cover v2-0-to-2-19.docs.armory.io.

The covered domains are:

  • www.armory.io
  • *.armory.io
  • armory.io

Note, the wildcard domain (*.armory.io) only covers that one level of subdomain (one level only under armory.io. It will cover all of the following:

  • docs.armory.io
  • foo.armory.io
  • bar.armory.io

However, it will not cover any of the following:

  • foo.docs.armory.io
  • www.foo.armory.io
  • foo.bar.armory.io

You would need to have an SSL certificate which also includes *.docs.armory.io to cover subdomains under docs.armory.io.

If there are other questions about this, please let us know.

Thanks for the reply! I inherited this Netlify account so I’m not familiar with how the original was set up.

Only docs.armoy.io uses Netlify. The Armory engineers configured docs.armory.io to use Netlify’s domain servers, so that’s why the Domain Management UI states that docs.armory.io uses Netlify DNS, right?

How do I configure docs.armory.io to be the only top-level domain, so that Netlify automatically creates a cert for docs.armory.io and all subdomains of docs.armory.io that I create using the Branch Subdomain functionality? I’d like for Netlify to manage the site certs; I don’t want to use an external certificate authority.

I also need to:

  1. Delete www.armory.io Netlify site
  2. Delete www.armory.io and armory.io domains - will this delete the associated custom certificate?

No, someone misconfigured our system to look like that though! Our DNS hosting is not in use for that domain (it is NOT delegated to us:

$ host -t soa docs.armory.io
docs.armory.io has no SOA record

)

…so you should remove it so our system works correctly. You can do that here:

Incorrect configuration of our DNS hosting when not used causes incorrect behavior with SSL such as what you’re seeing.

Once you do that, let me know and I can try to update the SSL certificate to include your preferred list of branch subdomains, assuming you have DNS setup (at AWS!) as mentioned in this article:

You’ll need to ping us with the list after it is configured, and we’ll be able to help get it in place for you in the cert.

@fool Thanks for the detailed response!

At Armory we use Terraform to manage our DNS records. I verified that the docs.armory.io DNS entry is type “NS” and is indeed delegating to Netlify’s nameservers and thus using Netlify DNS.

Steps I took to resolve the subdomain SSL cert error:

  • Deleted the armory.io site that is no longer used; now there is only the docs.armory.io (armory-docs.netlify.app) site
  • Switched to the “Let’s Encrypt” certificate
  • Created a new “archive” branch and configured Netlify to deploy it
  • Created a new subdomain for the archive branch
  • Verified that the HTTPS certificate section contained both docs.armory.io and archive.docs.armory.io
1 Like