SSL tangle when redirecting to another domain

Support
,
1

Hi friends! Please help, I’ve gotten myself into a real tangle.

I used to have two websites:
www.likeafuckinggrownup.com - a Ghost (Pro) site with the DNS managed by GoDaddy.
www.sambeckbessinger.com - a static site hosted by Netlify and the DNS managed by Netlify.

I am trying to consolidate my Ghost (Pro) site onto www.sambeckbessinger.com and 301 redirect any traffic to the old www.likeafuckinggrownup domain there. Because it’s a Ghost site, I don’t think I can follow the domain alias approach; so I’m trying to do this with a _redirects file.

What I’ve done:
www.sambeckbessinger.com

  • I’ve changed the Ghost (Pro) config to recognise www.sambeckbessinger.com as the URL.
  • I’ve changed the DNS records in Netlify to point to Ghost (Pro).

This domain is working exactly as I want it to.

www.likeafuckinggrownup.com

  • I pointed the GoDaddy nameservers to Netlify so I can use Netlify’s DNS.
  • I connected this domain to this Netlify site: vigorous-lichterman-c5511f.netlify.app. www.likeafuckinggrownup.com is the primary domain for this site.
  • To that vigorous-lichterman site, I uploaded a _redirects file.
  • I requested an SSL certificate for the vigorous-lichterman site. In the settings, it says DNS verification was successful.

The contents of the _redirects file:
http://likeafuckinggrownup.com/* https://www.sambeckbessinger.com/:splat 301!
https://likeafuckinggrownup.com/* https://www.sambeckbessinger.com/:splat 301!

The problem:
vigorous-lichterman-c5511f.netlify.app does redirect to www.sambeckbessinger.com exactly as I want it to.

But if I enter www.likeafuckinggrownup.com, I get an SSL error:
ssl424449.cloudflaressl.com
Issued by: COMODO ECC Domain Validation Secure Server CA 2
ssl424449.cloudflaressl.com” certificate name does not match input

If I enter https://likeafuckinggrownup.com (without the www) I simply get:
Safari can’t open the page because Safari can’t establish a secure connection to the server

Any idea how I can fix this mess? Thanks in advance for your help!

2

hey there @bcksam002 - maybe @gregraven has ideas, he knows a lot about DNS. Our most DNS knowledgeable support engineer can also likely help, he comes back on shift on Sunday evening, pacific time - i will make sure he sees this as well! i bet we can you some more information at least.

3

@bcksam002 It looks as though you last made DNS changes to your grownup domain earlier today, so there may be propagation issues. However, propagation seems pretty complete.

The DNS for your grownup site looks fairly good, although there are SSL certificate errors and redirects seem to think that Cloudflare is the server, even though it looks as though you have delegated DNS to Netlify.

Your SBB site seems also to have some DNS oddities. There’s this, for example:

|======================= dig CNAME(s) for =======================
| ------------------ www.sambeckbessinger.com ------------------
| ------------ will be blank when using Netlify DNS -------------
sambeckbessinger.ghost.io.
|================================================================

This site is set up to direct visitors to your apex domain (SBB) to your Netlify files, and the www subdomain for SBB to your Ghost site. This seems at variance with what I’m reading in your OP. I can’t help but wonder if this is the reason why the A records for your apex domain seem truncated.

Thus, while your grownups site shows Netlify as the server, your SBB site does not. I would expect this for the www.subdomain because it’s pointed away from Netlify, but not for the apex domain.

Thus in each case, curl is reporting that Netlify is your server AND that visitors are redirected to Cloudflare because of the DNS entries for the Ghost files.

Because Netlify cannot issue SSL certificates for files hosted elsewhere, my guess is that this is why you’re seeing SSL errors. Now, maybe if you installed your Comodo certificate on Netlify, too, you could get around this.

In your shoes, I think I would start by created a different subdomain for your Ghost install, something like ghost.SBB.com instead of www.SBB.com. This may not fit with your expectations for how things should work, of course. I would think that the first step would be to get the two custom domains redirecting to each other correctly, get the SSL certificate issued, and then work on incorporating your Ghost files into the mix.

Thanks for the extensive explanation, but if you have anything to add please let us know.

4

Hi, @bcksam002. I’m not seeing now what you were seeing three days ago. So, something has likely changed but I don’t know if the current behavior is the required behavior or not.

For the likeafuckinggrownup.com domain, I’m seeing it redirect to https://www.sambeckbessinger.com/ and concatenating the path in the original request to the new domain:

$ curl -svo /dev/null https://www.likeafuckinggrownup.com/example  2>&1 | egrep '^< '
< HTTP/2 301
< cache-control: public, max-age=0, must-revalidate
< content-length: 55
< content-type: text/plain; charset=utf-8
< date: Mon, 24 May 2021 04:03:13 GMT
< age: 0
< location: https://www.sambeckbessinger.com/example
< server: Netlify
< x-nf-request-id: 6b4892b8-f311-4341-9c10-49679d7e9dbe
<
$ curl -svo /dev/null https://likeafuckinggrownup.com/example  2>&1 | egrep '^< '
< HTTP/2 301
< cache-control: public, max-age=0, must-revalidate
< content-length: 55
< content-type: text/plain; charset=utf-8
< date: Mon, 24 May 2021 04:03:21 GMT
< age: 0
< location: https://www.sambeckbessinger.com/example
< server: Netlify
< x-nf-request-id: 54662b93-cca5-4c80-84e4-55581c5b25f8
<

Note, the site being redirected to isn’t hosted at Netlify. Also, it appears the www subdomain of sambeckbessinger.com is hosted at Cloudflare while the apex domain is not:

$ curl -svo /dev/null https://www.sambeckbessinger.com/example  2>&1 | egrep '^< '
< HTTP/2 301
< date: Mon, 24 May 2021 04:04:43 GMT
< content-length: 0
< status: 301 Moved Permanently
< x-request-id: e37041258b3128929dddc394d18587d6
< location: /example/
< age: 0
< x-cache: MISS
< cache-control: public, max-age=31536000
< x-request-id: e37041258b3128929dddc394d18587d6
< cf-cache-status: DYNAMIC
< cf-request-id: 0a3e24f8460000fda97ab98000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< set-cookie: __cflb=02DiuCzDjsTNptQXPztrAMxcLbhqoj7TmXDoWyBKPy7Up; SameSite=Lax; path=/; expires=Tue, 25-May-21 03:04:43 GMT; HttpOnly
< server: cloudflare
< cf-ray: 6543a43a0963fda9-PDX
<
$ curl -svo /dev/null https://sambeckbessinger.com/example  2>&1 | egrep '^< '
< HTTP/2 301
< server: openresty
< date: Mon, 24 May 2021 04:04:48 GMT
< content-type: text/html
< content-length: 166
< location: https://www.sambeckbessinger.com/example
<

The www response above has server: cloudflare while the apex domain has server: openresty.

So, the redirects for the domain hosted at Netlify appear to be working correctly. For the sambeckbessinger.com domain, we cannot control the SSL or HTTP responses as those domains are not pointing to our systems. The domain uses Netlify DNS but no sites using this domain are using our web hosting.

Note, we recommend not using Netlify DNS for a domain if there are no sites using that domain or its subdomains hosted at Netlify. (This is the case for sambeckbessinger.com.)

If there are other questions about this, please let us know.

5

@luke, @gregraven, @perry, thank you all so, so much. Everything is now working exactly as I want it to. I didn’t alter anything else, so I do think things just needed to propagate. But I really appreciate your explanations, because I now have a much clearer idea about how everything works. Giant hugs to all of you!

1 Like
6

great! glad it is working @bcksam002 - and welcome! come back any time. We like to keep this place super friendly and helpful :netlisparkles: