Provision SSL certification in anticipation of Netlify Transition

  • Name of site: gethearth.netlify.app

Hey Netlify Team,

We are planning a transition of our original domain to the Netlify DNS. We have our domain name and DNS set up in AWS Route53, and we would like a subdomain of gethearth.com to point to our production Netlify app app.gethearth.com.

We are going to need SSL certificates for *.app.gethearth.com and *.gethearth.com in order to support branch subdomains. The first is to provision branch subdomains. The second, is to allow us to CNAME staging.gethearth.com to point to the branch subdomain master.app.gethearth.com without any SSL issues.

Before we make this change, we want to test with our staging environment on a different domain shogun.cool with the same DNS and SSL setup.

Is this all possible with Netlify? Thanks for the help!

Cheers,
Zak Allen

howdy, sorry to be slow to reply. Is gethearth.com’s DNS managed by netlify?

No worries! Not yet - we currently have our staging domain app.shogun.cool being managed by Netlify. We currently have an NS entry on Route 53 for app.shogun.cool pointing to Netlify.

Hi, @shogun_enterprises, automatic SSL for branch subdomains only works if the custom domain is using Netlify DNS.

This custom domain (shogun.cool) is not using Netlify DNS:

$ whois shogun.cool | grep "Name Server"
Name Server: ns-1239.awsdns-26.org
Name Server: ns-41.awsdns-05.com
Name Server: ns-1917.awsdns-47.co.uk
Name Server: ns-682.awsdns-21.net
Name Server: NS-1239.AWSDNS-26.ORG
Name Server: NS-41.AWSDNS-05.COM
Name Server: NS-1917.AWSDNS-47.CO.UK
Name Server: NS-682.AWSDNS-21.NET

So the automatic SSL for branch subdomains won’t work for this domain and the following instructions apply instead:

The configuration you described above does work with Netlify DNS. However, for external DNS services there is a manual process for SSL (as details in the support guide above).

If you want to test our automatic SSL certificates for branch subdomains, Netlify DNS must be enabled first.

​Please let us know if there are other questions about this.

So this only works If we have the top level domain DNS set to Netfify? We have the subdomain app.shogun.cool pointing to Netlify’s name servers, is that not sufficient (at least for the SSL certs underneath that domain like the branch domains like master.app.shogun.cool – I understand that requesting a *.shogun.cool SSL certificate may be manual/impossible)? We were hoping to avoid transferring the TLD to Netlify as we use many Route53 specific features for our production domain gethearth.com

Either way, thank you for linking that guide

Hey @shogun_enterprises,
It looks like you’ve gotten this working by delegating your subdomain to Netlify and enabling Netlify DNS in your Netlify team for this site. It may continue to work as-is but I would expect not great performance with this DNS configuration. This is not ideal:

$ host app.gethearth.com
app.gethearth.com has address 206.189.73.52
app.gethearth.com has address 167.172.221.254
Host app.gethearth.com not found: 2(SERVFAIL) <--- not good
Host app.gethearth.com not found: 2(SERVFAIL) <--- not good

and the error shown here: https://dnsviz.net/d/app.gethearth.com/dnssec/

As the guide @luke shared mentions, you don’t have to use Netlify DNS to get SSL for your branch subdomains working. You can keep your DNS at AWS and create a CNAME record there linking your subdomain to your Netlify site:

From there, you will have to follow the branch deploy guide and reach out to us for the final step of getting your SSL cert that includes whatever branches you add. It is more manual, but is also a supported and performant configuration. Let us know if you’d like to go that route!

As for a wildcard certificate, we automatically create those for sites that use Netlify DNS. If you are not using Netilfy DNS, you will have to bring your own custom wildcard certificate- you can upload that in your site dashboard.