SSL Breaking for subdomain redirects set with a domain provider

I used Hover as my domain provider for fossresponders.com, and have set up a redirect there from community.fossresponders.com to our Discourse forum. However, the https://community.fossresponders.com redirect fails due to SSL issues. Hover says this is probably an issue with my host. Any ideas?

hi there, where is the DNS / SSL configured? on Hover or on Netlify?

On Netlify. <# <3 <3

Hi, @RichardLitt, I’m showing this domain name is using Hover for DNS, not Netlify:

fossresponders.com.	172800	IN	NS	ns1.hover.com.
fossresponders.com.	172800	IN	NS	ns2.hover.com.

For that specific domain name, this IP address is returned when I test:

community.fossresponders.com. 900 IN	A	64.98.145.30

This means this URL is going to be answered by that IP address (which is 64.98.145.30) for any HTTP requests (or any other types of network requests for that matter). Here is a curl example below to demonstrate:

$ curl -svo /dev/null https://community.fossresponders.com/
*   Trying 64.98.145.30...
* TCP_NODELAY set
* Connection failed
* connect to 64.98.145.30 port 443 failed: Connection refused
* Failed to connect to community.fossresponders.com port 443: Connection refused
* Closing connection 0

The IP address responding to that web request is 64.98.145.30.

The SSL certificate must be configured on the system answering. This is the system with the IP address of 64.98.145.30. As this isn’t a system that Netlify owns or operates, we cannot help you get an SSL certificate working here. You will need to contact the administrator(s) for that system about getting a SSL certificate working there.

To summarize, Netlify can only provide SSL certificates for domain names which point to Netlify. This domain name points to a different service so you will need to contact the support team for that service to get the SSL certificate working there.

If there are any questions about this, please let us know.

Thank you, @luke. Confusingly, Hover told me to go ask my hosting provider, as they said it wasn’t in their wheelhouse. So, now I am more confused. I’ve taken this information back to them.

Thanks, again.

1 Like

Ok. Hover changed the domain to point an A record with host ‘community’ to point to a different IP. I’m not sure why they did this, especially as the IP went to Google’s. I’ve used dig on fossresponders.netlify.com, and now I am sending the A record for community to: 198.199.66.189. I think that should put it into Netlify’s wheelhouse?

Hi, @RichardLitt. There are several issues affecting the current configuration.

First, using an A record to point to Netlify is the opposite of our best practice. There is more about this in our documentation. We recommend using a CNAME for the site subdomain at Netlify.

The only time A records should be used are for apex/bare/root domains and, even then, only as a last resort if other options are not available (like ALIAS type records). Using the A record means all traffic is sent to a single CDN node instead of traffic being routed to the CDN node closest to the visitor. The IP address 198.199.66.189 is near New York. All global traffic around the world will now be directed to a single system instead of going to one of the scores of CDN nodes around the world.

Using a CNAME is what enables the GeoIP lookup (sending a visitor to the closest CDN node) and allows the full CDN to be used by a site.

The second issue is that this domain isn’t linked to a Netlify site at this time. The custom domain needs to be added to the site itself here:

https://app.netlify.com/sites/fossresponders/settings/domain

Third, there are no redirect rules for that site at Netlify. The most recent deploy (as I write this) can be found here:

https://app.netlify.com/sites/fossresponders/deploys/5e9e0b681b6b6a00067ae702

There it says:

No redirect rules processed

This deploy did not include any redirect rules. Learn more about redirects.

All three of those issues should be corrected. Once all those changes have been made, the SSL certificate can be provisioned here.

If there are questions about any of this, please let us know.

That all did it! Thank you for the clear advice on how to get this working. I really appreciate it. :slight_smile: