How to do DNS & SSL for sub-domain that doesn't run on Netlify?

Netlify manages the DNS settings of my site (say, “mysite.com”) and its SSL certificate. Now I want to add a sub-domain (such as “test-app.mysite.com”) with an SSL certificate. That sub-domain will belong to a VPS server that runs on DigitalDomain.

So I have two questions that I couldn’t see answered in the Netlify documentation:

  • Is that possible?
  • If so, what DNS records do I need to add at Netlify?
  • If so, how do I get an SSL certificate for that from Netlify?

Thank you!

Regards,
Karsten Silz

Hi Karsten,

These are fun question to read and learn from, so I wanted to ask if the sub-domain will be hosted on a VPS – did you mean Digital Ocean? ( I looked up Digital Domain and found a film company.

I.e. are you trying to have a sub-domain that redirects to another server?

You are right: I meant DigitalOcean, and I’ll run it on a VPS there. To be more precise: A Java Spring Boot application, run through a Docker Compose file. So it’s a completely different server on a non-Netlify IP address. So “mysite.com” goes to Netlify, and “test-app.mysite.com” goes to the VPS on DigitalOcean.

No trouble configuring that here; just add a DNS record in your domain dashboard.

For SSL, we cannot help for non-netlify sites. On digital ocean’s droplet, you can use certbot to manage your own certificate (I use this workflow myself on my own DO droplet where I run some dynamic code that netlify can’t host): https://certbot.eff.org/

Thank you for your post! I managed to add a DNS record.

Things won’t be that easy for my Droplet on DigitalOcean: I’m running the Docker nginx proxy and need to use the “Let’s encrypt” companion container for it.

I gave the “Let’s encrypt” companion container” a quick try but couldn’t get it to work. So I’m trying to use the SSL certificate that Netlify created for me instead. I’m running an nginx proxy in Docker on CoreOS there. That proxy requires the certificate and private key for the domain as files with a .crt and .key extension.

So can I get the certificate and private key for my domain from Netlify? Or do I need to create my own, new SSL key and use that then in Netlify & DigitalOcean? I managed to save the Netlify certificate in Chrome and Windows and convert it to a .crt file. But I’m missing the .key file which I believe is the private key.

Yes, you cannot use our SSL certificate on other systems; it’s not in a format that is exportable and we have no intention to make it so.

You can proxy from us to them instead, and then we’d handle the certificate and the SSL termination automatically.

Understood. Can you please point me to the documentation for that? Thank you!

@ksilz, the documentation about making proxy rules at Netlify can be found here:

https://docs.netlify.com/routing/redirects/rewrites-proxies/#proxy-to-another-service

@luke I couldn’t get this work in a seamless matter: The SSL address of my Netlify showing, but served under the hood by my VPS server on DigitalOcean. The documentation wasn’t particular helpful to my case, either.

So I gave up and bought a new domain instead over which I have full control. Thank you!

@ksilz, if this is a domain name registered via Netlify, please let us know as we do want to assist with any changes you want to make.

Domains registered through Netlify are not limited by Netlify in any way. If you want to use a domain registered via our service with any third-party (Digital Ocean, Heroku, AWS, etc) you definitely can do this and we are always happy to assist with any questions about this.

I’m reading back over the series of questions and it sounds like there is a domain name either registered with Netlify or using Netlify DNS (for example, mysite.com).

It sounds like you want to have a subdomain of this domain (for example, test-app.mysite.com) which points to a Digital Ocean droplet/VPS/system/etc.

In most cases, this would be done by creating a DNS record which links to the droplet. This would normally be an A record if the droplet is referenced by IP address or a CNAME record if the droplet is referenced by hostname.

The DNS record might look similar to this:

test-app.mysite.com      600      IN      A    192.168.1.1

Regarding SSL certificate for the subdomain, the SSL certificate is controlled by the server responding. If you are directing the subdomain traffic to the Digital Ocean system, then that service will need its own SSL certificate. There is no way to export the SSL certificate from Netlify and use it with a third-party service.

Also, if you want to send us more details about the actual domain names and/or IP addresses at Netlify and Digital Ocean we are happy to help you get that configured.