Let's Encrypt certificate doesn't include branch subdomains after changing the primary domain

Hi,

I’ve changed the primary domain of my site, which has several branch subdomains.
After migration, only the primary domain exists in the Let’s Encrypt certificate and 0 branch subdomains.

What I tried:

  • remove/re-add branch subdomains
  • renew certificate

Nothing has worked until now :frowning:

What to do to renew the certificate with existing subdomains?

Thank you

Hi, @dlecan. What site is this for?

If the site uses Netlify DNS, this should be automatic so if it isn’t working, we’ll be happy to take a look at that.

If the site uses external DNS, then the following instructions cover how to add/change branch subdomains:

Would you please create the DNS records according to those instructions and then reply here to let us know when that is complete?

If the DNS records are created according to those requirements, we’ll be happy to update the SSL certificate to include them. That is a manual process and only our support team can do this at this time (if using external DNS - again, this is all automatic with Netlify DNS).

​Please let us know if there are any questions and we look forward to getting the SSL certificate updated.

Yes, it uses Netlify DNS, so yes, it should be automatic :grin:
I send you the site id by DM.

Thank you

Hi, @dlecan. I see that the Netlify DNS configuration was created but that domain is not using our DNS service at this time.

The name servers for the domain are ns111.ovh.net. and dns111.ovh.net.. Those are not name servers used by Netlify. This domain is using external DNS currently.

If you want to enable Netlify DNS, the name servers for this domain will need to be changed to the ones listed in the Netlify DNS configuration for this domain. In that configuration, the following servers are listed:

So, the first step here is either to delete the unused DNS zone at Netlify or to activate it by changing to the name servers above. The zone cannot be left as it is unless you activate it by making the name server changes. The zone must be activated or deleted. There is no third option available.

If you delete the DNS zone at Netlify, then please configure the domain using the external DNS instructions here:

Once that is working, then create the DNS records for the branch subdomains as documented in the common issue I first posted. Once that is done, we can update the SSL certificate to include the branch subdomains here on the support team.

Would you please let us know which solution you want to try? That solution will be either “Netlify DNS” or “external DNS”. Once we know which method is going to be used, we are happy to assist until that method is working.

Thank you for pointing that, but my configuration is more complex :slight_smile:

I don’t want to delegate to Netlify the all domain.tld, but a subdomain/subzone, such as my.domain.tld.

It’s already working for other websites already hosted on Netlify:

uns.network and unik-name.com domains are not managed by Netlify DNS, but these subdomains/subzones are:

  • explorer.uns.network
  • docs.uns.network
  • docs.unik-name.com

Just to be clear: branch subdomains are working perfectly with subzones delegated to Netlify; the issue comes from the LE certificate generation.

It is possible to reproduce the configuration already done for other websites?

Thank you

Anyway, I change the root NS server of the domain, but the result is the same: subdomains doesn’t appear in Let’s Encrypt certificate.

Finally, we managed to get the TLS certificate generation to work … by chance, I would say.
Using subdomains instead of domains doesn’t work very well with LE certificate generation.

This topic is closed, but not really solved.

Hi @luke
The issue now appears for another domain, which was working perfectly until now.

image

And corresponding generated Let’s Encrypt certificate:

dalinet branch was removed by error, the readded. But too late, the certificate was already renewed without it :frowning:

I tried to regenerate the certificate, but no luck.

Thank you

Hi, @dlecan, this is happening because you are using the branch subdomains feature and our system thinks you are using Netlify DNS.

You are not using Netlify DNS for this domain, however. This is an unsupported configuration and it will continue to not function correctly until this is changed.

In other words, this is what happens:

  • Our systems says, “I need to renew the SSL certificate and this domain is using Netlify DNS.”
  • In reality, your domain isn’t using Netlify DNS.
  • Our systems attempt SSL renewal using a DNS based verification and the SSL renewal fails.

There are two solutions for this.

Solution #1: Activate Netlify DNS for this domain.

If you choose option one, please read common issue linked to below before making any changes:

[ Common Issue] How do I migrate a domain to Netlify Managed DNS with zero downtime?

After following the instructions there, change the names servers for this domain to be the ones listed in the Netlify DNS configuration page for this domain:

Solution #2: Delete the inactive Netlify DNS configuration.

This will keep happening unless you delete the DNS configuration. It can be deleted here.

Next, follow the branch subdomain with external DNS instructions found here:

[Common Issue] How to use Netlify’s branch deploy feature without Netlify DNS

Please let us know if there are any questions about this.

Thank you for your answer @luke. Answers below.

Even if the app console says it is?

Even if DNS console says it is?

Even if sandbox.explorer.uns.network and dalinet.explorer.uns.network domain point to the same IP adress (answered by Netlify DNS of course), and sandbox.explorer.uns.network is included into the TLS certificate, but not dalinet.explorer.uns.network?

$ dig +short A dalinet.explorer.uns.network
165.22.65.139
$ dig +short A sandbox.explorer.uns.network
165.22.65.139

Ok, I understand you don’t support subzone delegation. So it should be forbidden to register such subdomain as Netlify DNS because it’s too confusing if it doesn’t work!

Remember, it has been working for months (at least the 9 last) for several domains and websites, so, from a client’s point of view, it’s a regression. Maybe that was working by chance, anyway, it was working.

Otherwise, can you explain why sandbox.explorer.uns.network domain is not affected by the issue?

We can’t delegate the whole uns.network domain, as we have other subdomains and subzones handled elsewhere.
Today, we can only delegate subdomain, such as explorer.uns.network.

Thank you for reading so far :wink:

If you try to create at zone for explorer.uns.network, Netlify DNS will refuse. You said it should be forbidden if it isn’t supported and it already is forbidden. We already do this.

The DNS zone configured is for uns.network. This isn’t a delegate subzone at Netlify. The DNS zone is configured for the apex/bare/root domain. We do support DNS zones for apex/bare/root domains but this isn’t what is being done.

I would love for you be able to create a delegated subdomain DNS zone. There are a number of edge cases that are not handled by Netlify DNS and this is one of them.

Should we enter a feature request for delegated subdomains with Netlify DNS? We’d be happy to do so but it isn’t supported yet.

For example, for jane.smith.name, the apex domain is actually jane.smith.name and not smith.name. There is more about the name top-level domain (TLD) here: .name - Wikipedia

Netlify DNS doesn’t handle this TLD’s behavior of including the next two subdomains together as part of the root domain. This is how .name domains function but Netlify DNS isn’t able to recognize this. This makes it impossible to use Netlify DNS for this TLD (.name).

Otherwise, can you explain why sandbox.explorer.uns.network domain is not affected by the issue?

I’m curious and I also want to know. However, my time restraints don’t allow for the troubleshooting of a configuration which is publicly documented as unsupported.

Would you like for us to create a feature request for delegated subdomains with Netlify DNS? If that were to become available, then this configuration would be supported.

For now, however, the only solutions are the two already shared earlier. ​Please let us know if you are interested in the feature request and/or if there are other questions.

You are the winner @luke, I couldn’t convince you :wink:

Yes, I would like.

In the meantime, I will use an external DNS with [Support Guide] How to use Netlify’s branch deploy feature without Netlify DNS feature.

Thank you.

1 Like

Hi, @dlecan. I just wanted to let you know that the feature request has been filed and cross-linked to this community topic.

If/when Netlify DNS is extended to support subdomain delegation, we’ll post an update here to let you know.

1 Like