Hi we have the netlify site name: preview-prod-openday-deakin.netlify.app
I have had CNAMED and configured the custom DNS pointing to this: preview-openday.deakin.edu.au
Waiting for the lets encrypt cert but it says: Waiting on DNS propagation
Hitting the Verify DNS button comes back with: DNS verification was successful
But on return its gone back to waiting on dns propogation. Ive already gone round in circles at least 3 times over a few days.
aha, I spotted the problem. That domain (deakin.edu.au) has settings that will prevent us from provisioning an SSL certificate for ANY host in the domain:
$ host -t CAA deakin.edu.au
deakin.edu.au has CAA record 0 issue "quovadisglobal.com"
deakin.edu.au has CAA record 0 issuewild "digicert.com"
deakin.edu.au has CAA record 0 issue "amazon.com"
deakin.edu.au has CAA record 0 issue "digicert.com"
deakin.edu.au has CAA record 0 issuewild "quovadisglobal.com"
deakin.edu.au has CAA record 0 iodef "mailto:its-systems@deakin.edu.au"
Your IT admins should be able to let you know if they are either:
or willing to set up a special setting for your specific domain, which they can do by adding a CAA record just for it, rather than changing the one for the whole school’s domain.
finally they could provide you with an SSL certificate to use that their vendor has generated for them.
Regardless, until that is resolved, we cannot provide SSL for you. I have a bug report on this information not turning up in the UI - sorry to hear you wasted so much time on it!
Thanks. Yes an error message in the UI would have made this quicker to diagnose
For the second scenario, if we did go with that option, can i clarify that in principal to keep this domain we would do the following:
We would remove the existing CNAME on the sub-domain “preview-openday.deakin.edu.au”
Add a CAA record directly on that sub-domain to allow lets-encrypt to issue cert
Then add an A record for the sub-domain “preview-openday.deakin.edu.au” pointing to netlify (instead of a CNAME)
Being that if a domain has a CNAME it cant have any other records?
Yup, I think you are correct since CNAME cannot coexist with other records. You don’t get the full benefits of our CDN with that configuration, but the A record you would use would be for our load balancer: 104.198.14.52.