Secondary Custom Domain Alias not Showing on SSL Cert

I am having some DNS and SSL issues with my custom domains. It appears that the primary custom domain (https://www.inside.calpoly.edu) is fine and is included in the SSL. But the secondary custom domain (https://inside.calpoly.edu) is still having issues with the DNS and with the SSL.

I have added both urls to the custom domains section within the netlify dashboard. I have also set up CNAME records for both of these domains:

The CNAME record for www.inside.calpoly.edu points to cpc-inside-cp-blog.netlify.app/
The CNAME record for inside.calpoly.edu points to www.inside.calpoly.edu

Are all of these records and custom domains correct and necessary?

Also, there is a warning in the Netlify dashboard with the inside.calpoly.edu custom domain. It says “Check DNS Configuration”. But, sometimes this error is not present and it appears that there are not issues. I am not sure why it changes back and forth between showing a warning and then having no warnings.

I think there is probably something simple here that I am missing or some small mistake I have made along the way. A second set of eyes would be greatly appreciated! Thank you!

As a follow up:

Sometimes the domain without the “www” will redirect to the primary domain (with “www”) but it is not consistent.

Also, I have tried to get the headers for each of the urls and am getting the following readouts in my terminal:

$ curl -X HEAD -i https://inside.calpoly.edu/
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the
Warning: way you want. Consider using -I/--head instead.
curl: (6) Could not resolve host: inside.calpoly.edu

$ curl -X HEAD -i https://www.inside.calpoly.edu/
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the
Warning: way you want. Consider using -I/--head instead.
HTTP/2 200
cache-control: public, max-age=0, must-revalidate
content-length: 0
content-type: text/html; charset=UTF-8
date: Tue, 11 Aug 2020 18:18:32 GMT
etag: "00c944f576dd4a19f677780b360c30e0-ssl"
strict-transport-security: max-age=31536000
age: 0
server: Netlify
x-nf-request-id: a4bfb158-37da-4e47-9b0d-aad63c51b2ca-430009

Howdy @cpcmedia

I’m one of the community pilots here on Netlify Community, so while I am totally up for helping you, know that I don’t work for Netlify and don’t have access to under-the-hood data about your account and specific DNS configuration Netlify-side.

That all said, I’d like to gather just a bit more context here… DNS is tricky and the first thing I’d like to understand is whether you’re using Netlify’s nameservers for the inside… sub-domain, or if your domain is hosted elsewhere, using other domain nameservers and you’re assigning DNS records for the inside… and www.inside… subdomains on that system.

Another way of asking that would be, are you using your subdomain through https://app.netlify.com/teams/<YOUR-TEAM-NAME>/dns or hosting your domains elsewhere and only assigning domains to the individual site via Netlify App?

One step at a time

–
Jon

Hey @jonsully!

Thank you so much for helping out. You are correct in the assumption that the inside… and www.inside… subdomains are being managed through another system and are not being managed through Netlify’s DNS.

Thank you!

Hi, @cpcmedia. This is a DNS lookup issue:

$ dig inside.calpoly.edu

; <<>> DiG 9.10.6 <<>> inside.calpoly.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27448
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;inside.calpoly.edu.		IN	A

;; AUTHORITY SECTION:
inside.calpoly.edu.	899	IN	SOA	ns1.calpoly.edu. netadmin.calpoly.edu. 26 10800 3600 2419200 900

;; Query time: 70 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 12 00:55:54 PDT 2020
;; MSG SIZE  rcvd: 96

Netlify doesn’t host the DNS for this domain name. I don’t have any access to your DNS servers or configuration so I’m not able to see anything beyond the queries and answers themselves.

The root cause is a DNS issue but why there is a DNS issue would be a question for whomever is responsible for this domain’s DNS service (which isn’t Netlify).

Do let us know if there are other questions though and we’ll do our best to answer.

Yeah this is an interesting one! I typically use Netlify’s nameservers for my domains which helps keep things all under one tree, but I’m definitely seeing the issue you’re feeling. I’m not sure why my dig shows different than @luke’s too (though this is hours later and it may have changed)

nslookup:

jon$: nslookup inside.calpoly.edu
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
inside.calpoly.edu	canonical name = www.inside.calpoly.edu.
www.inside.calpoly.edu	canonical name = cpc-inside-cp-blog.netlify.app.
Name:	cpc-inside-cp-blog.netlify.app
Address: 104.248.60.43
Name:	cpc-inside-cp-blog.netlify.app
Address: 159.65.216.232

jon$: dig inside.calpoly.edu

; <<>> DiG 9.10.6 <<>> inside.calpoly.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1403
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;inside.calpoly.edu.		IN	A

;; ANSWER SECTION:
inside.calpoly.edu.	300	IN	CNAME	www.inside.calpoly.edu.
www.inside.calpoly.edu.	300	IN	CNAME	cpc-inside-cp-blog.netlify.app.
cpc-inside-cp-blog.netlify.app.	20 IN	A	104.248.63.248
cpc-inside-cp-blog.netlify.app.	20 IN	A	104.248.50.87

;; Query time: 167 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Aug 12 10:09:26 EDT 2020
;; MSG SIZE  rcvd: 159

This all tracks though, because when I query the inside.calpoly.edu domain directly, the error comes from a certificate problem, not a routing problem:

jon$: http inside.calpoly.edu
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: inside.calpoly.edu
User-Agent: HTTPie/2.1.0



HTTP/1.1 301 Moved Permanently
Age: 0
Cache-Control: public, max-age=0, must-revalidate
Connection: keep-alive
Content-Length: 43
Content-Type: text/plain
Date: Wed, 12 Aug 2020 13:38:53 GMT
Location: https://inside.calpoly.edu/
Server: Netlify
X-NF-Request-ID: 192ebc9d-4550-4498-a330-94cae7930230-2410191

Redirecting to https://inside.calpoly.edu/

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: inside.calpoly.edu
User-Agent: HTTPie/2.1.0


http: error: SSLError: HTTPSConnectionPool(host='inside.calpoly.edu', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError("hostname 'inside.calpoly.edu' doesn't match either of '*.netlify.com', 'netlify.com'"))) while doing a GET request to URL: https://inside.calpoly.edu/

And the key issue there being "hostname 'inside.calpoly.edu' doesn't match either of '*.netlify.com', 'netlify.com'"

So all that said, yeah I fully agree that the issue originally written about is dead on

I’m going to take a bit of time and play around with externally-hosted DNS on one of my demo sites and see how it behaves since that’s your use case here. I have occasionally had issues with subdo’s having SSL errors but I usually get around it by just assigning another random subdo to a different site (which prompts Netlify’s back end plumbing to regenerate the *.domain cert, covering all subdomains). The one oddity that’s tugging at my brain with this particular case is the push to a subdomain. Typically I think sites use the root domain and push www. traffic to the root… and it’s backwards in this case (which is totally fine) so I just want to play with that a little bit

–
Jon

Actually, one thought I had right as I hit Send on that last message is, could you switch from

www.inside… = CNAME => Netlify.app
inside… = CNAME => www.inside…

to

www.inside… = CNAME => Netlify.app
inside… = CNAME => Netlify.app

?

I’m wondering if the chaining CNAME’s is preventing a cert from being generated or having a problem there. If you have both records CNAME directly to the …netlify.app domain, they should both be assigned to the site equally and behave equally. Yes the site would load on both URLs, but we could fix that super easily with Netlify Redirects to force traffic to your preferred domain (I do this on all of my sites)

–
Jon

Thank you SO much for your continued insight with this issue Jon. It is very much appreciated. I will get in touch with the sysadmin who is editing these records and request the change that you have suggested. I will keep you posted with any updates!

No worries. I grew up in Santa Cruz so I have some love for CP-SLO many friends went there

Hopefully we get this figured out!

–
Jon

Hi @luke,

I am attempting some further updates to the DNS and hopefully this will resolve the issue. Thank you so much for your continued support and I will update the thread here with any changes.

@jonsully,

So happy to hear that! It’s always a pleasure to connect with people from the area.

One question I have is that is it inherently necessary to have both of these records? Do we NEED to have www.inside… as well as inside… as subdomains here? Is this convention or common practice? I ask because that is how several of our other sites were set up previously and I was following that lead.

Would it be better to just have one URL such as inside… and forget the www.inside… completely?

Thanks!

That’s a great question Since that’s more of a personal-choice decision I typically don’t presume to advise people on what they should do in that area, but since you’ve asked, I would recommend not bothering with a www subdomain (btw, nice call on the bold for domains… that’s way nicer ) since you’re already on a subdomain.

The www prefix is a bit of an old-school web convention and most sites don’t bother with it anymore. Sites like twitter.com and netlify.com are referred to just like that, not “www.twitter.com” - people just know at this point that it’s an Internet address and they don’t need to try to imply that through “www”.

You have an added layer in this case. inside is already a subdomain of calpoly.edu. The entire conversation above typically only ever applies to root domains (or did, back in the early 2000s) because you’re have www.root-domain.com and root-domain.com. Since you’re already on a subdomain, inside.calpoly.edu, there’s for sure no need to try to accommodate the old-school “www” prefix.

As a relatable example, my alma mater’s root / marketing page is on denison.edu but the student portal and other resources are on my.denison.edu. If you attempt to go to www.denison.edu it correctly redirects you to the root domain (drops the www) denison.edu and all is well . If you try to www.my.denison.edu, it breaks because there’s nothing at the www.my. double-subdomain

Going that direction should help your DNS routing quite a bit too

–
Jon

Hi @luke,

The DNS changes that I requested were made earlier this morning. There should now be just one record in place.

inside.calpoly.edu => cpc-inside-cp-blog.netlify.app

It looks like I am still getting the “Check DNS configuration” warning within the Netlify dashboard but the SSL cert is provisioned for this domain. Do I need to worry about this warning?

Hi, @cpcmedia. Yes, I think there is still an issue.

Many of the DNS lookups fail. Here are two failures:

$ dig inside.calpoly.edu  +noall +answer

; <<>> DiG 9.10.6 <<>> inside.calpoly.edu +noall +answer
;; global options: +cmd

Failure two:

$ dig inside.calpoly.edu  +noall +answer

; <<>> DiG 9.10.6 <<>> inside.calpoly.edu +noall +answer
;; global options: +cmd

My third attempt succeeded:

$ dig inside.calpoly.edu  +noall +answer

; <<>> DiG 9.10.6 <<>> inside.calpoly.edu +noall +answer
;; global options: +cmd
inside.calpoly.edu.	275	IN	CNAME	cpc-inside-cp-blog.netlify.app.
cpc-inside-cp-blog.netlify.app.	12 IN	A	165.227.0.164
cpc-inside-cp-blog.netlify.app.	12 IN	A	138.68.244.143

So, there is still an issue with the DNS configuration.

Looking into this deeper I see that there are five DNS servers configured to be authoritative for this domain:

calpoly.edu.		172800	IN	NS	larry.calpoly.edu.
calpoly.edu.		172800	IN	NS	moe.calpoly.edu.
calpoly.edu.		172800	IN	NS	ns4.cenic.org.
calpoly.edu.		172800	IN	NS	ns5.cenic.org.
calpoly.edu.		172800	IN	NS	ns6.cenic.org.

None of the cenic.org servers respond with this record (and instead send the SOA record below):

inside.calpoly.edu.	900	IN	SOA	ns1.calpoly.edu. netadmin.calpoly.edu. 25 10800 3600 2419200 900
;; Received 96 bytes from 137.164.29.69#53(ns5.cenic.org) in 34 ms

Only the moe.calpoly.edu name server replies with this record:

inside.calpoly.edu.	300	IN	CNAME	cpc-inside-cp-blog.netlify.app.
;; Received 91 bytes from 129.65.16.254#53(moe.calpoly.edu) in 35 ms

That issue will need to be resolved before this custom domain will work reliably.

The www. prefix on a subdomain is not necessary. However, on a zone apex (example.org), you should use www. (www.example.com). This is largely because an apex domain can’t have CNAMEs, though there are other factors. Some discussion here and here. If you’re using a DNS provider such as AWS Route 53, you can use ALIAS records, but these are (currently?) non-standard.

You should make the apex example.com 301 redirect to the www.example.com subdomain.

If you really don’t like www., I’d recommend using another subdomain instead, e.g. app..