I'm working on a Ruby on Rails SaaS app with a custom subdomain for each company. When a company signs up, the user is redirected to her subdomain.myapp.io.
The app is hosted on Heroku and DNS are managed at CloudFlare. I use the free SSL feature provided by CloudFlare, which works as expected for https://myapp.io.
My issue is about having SSL active for the subdomains. I wonder if this is possible without buying a wildcard SSL certificate.
CloudFlare DNS setup:
myapp.io. 300 IN CNAME myapp.herokuapp.com.
*.myapp.io. 300 IN CNAME myapp.herokuapp.com.
Heroku domains setup:
myapp.io
*.myapp.io
This works, but without SSL on subdomains. It is not possible to use CloudFlare features (such as SSL Full) for wildcard subdomains (except for Entreprise plan users).
I think I need to buy a wildcard SSL certificate for my domain ($115/year) and add the SSL Endpoint Heroku add-on ($7/month). Am I wrong?
Short answer:
You can't have a free wildcard SSL (Full protection) for subdomains on CloudFlare (Free plan).
Long answer:
I mean using wildcard with CloudFlare (Free plan), CloudFlare proxy protection and acceleration are bypassed (no orange cloud) so your origin server SSL certificate will be used instead. So to enable SSL you need to add a CNAME record for each subdomain (the cloud icon should be orange).
Example:
foo.myapp.io. 300 IN CNAME myapp.herokuapp.com.
bar.myapp.io. 300 IN CNAME myapp.herokuapp.com.
(You don't need to add any record for custom domains in Heroku if you already have *.myapp.io)
[EDIT]
Maybe you can add DNS records dynamically via CloudFlare's API (https://api.cloudflare.com/#dns-records-for-a-zone-create-dns-record)
(I didn't try that...)
Workaround:
As you said:
Pay for CloudFlare Enterprise
Buy a wildcard SSL certificate + Heroku SSL SNI (https://devcenter.heroku.com/articles/ssl-beta)
Hope it will help.
Related
I am pretty new with the domain configuration part. I want to know that can I generate SSL only for my subdomain I didn't want to add the root domain with CLOUDFLARE because my root domain already has SSL certificate. Is it possible to do that? I have purchased my domain from the GODADDY. I will add the generated SSL certificate to IIS.
Please help me out !!
Edit: I don't want to add my root domain to CLOUDFLARE because if I will do it I have to change my NAMESERVER for the same and my root domain already has SSL.
I believe what you're looking for is the CNAME setup on Cloudflare. This is the alternative method of Name Server setup. However, this setup requires a Business plan. With CNAME setup, you can have just a certain subdomains to be used with Cloudflare. With proxy turned on the subdomain, you'd get the usual Universal SSL certification from Cloudflare.
Im using hostgator as my host.They do not provide free ssl certificate.So im using cloudflare free ssl certificate for my site.SSL certificate working everywhere except Cpanel.
I tried manually adding ssl through cpanel option.But not really working!Is there any way i can add it there?
Or it will be really good if my cpnael url cpanel.site.com won't just show up to that address.
If you want to use the CloudFlare SSL certificate then there is no need to add that SSL certificate to yoru cpanel nor to your site. Read the cloudflare documentation in order to see how to create and use Page Rules and their SSL certificate. cPanel has nothing to do with it. CF works just fine with cPanel/WHM and pretty much with any other related hosting panel. Your site can be http only in cPnel and then you do the HTTPS redirection from Clouflare using their Flexible SSL and page rules
cpanel.yourdomain.com ssl is related to server side. If your host allow autossl with Let's Encrypt (for example) then it will install ssl for all your necessary subdomains like webmail, cpanel, mail, www etc. If you are installing ssl manually, then you cannot install it for cpanel subdomain. However if you want to use cpanel securely and have enabled ssl with yourdomain.com the you can use it:
https://yourdomain.com:2083
I am using cloudflare to proxy requests to my server and within my server I have added support for subdomains. The issue is that my server only has an ssl certificate issued to the root domain, but the cloudflare certificate has support for wildcards. Whenever there is a request to the root domain the ssl certificate from cloudflare is used but when I try to access a subdomain my server's certificate is used and I get a nasty the domain is insecure error. Any suggestions as to how I can fix this? There is a CNAME record within cloudflare which has the * name as an alias to my domain.
If you're on a Free CloudFlare account, only browsers with SNI support work. This is so CloudFlare doesn't need to assign an IP for every free client; using a Pro account you can have support for legacy browsers which don't support SNI.
I've let cloudflare manage the DNS of my example.com
I have created id.example.com for country's specific customer. I've done it by created cname id with alias example.com
I need to create customer portal: my.id.example.com. How?
In Cloudflare, open the DNS records for domain.example
Create a A record for example.id and enter the IP where my.id.domain.example will be hosted, and add record
Setup the site my.id.domain.example at the IP you specified
If domain.example is on Cloudflare and the Cloudflare nameservers have propagated, the sub-sub domain propagation should be more or less instant
As correctly noted by ThorSummoner and user296526, this will work on the Cloudflare free plan if you aren't using SSL.
If you want to have a sub sub domain with SSL on Cloudflare, you need to a dedicated Cloudflare dedicated SSL certificate which is available as a paid plan. To quote from the Cloudflare site:
Cloudflare Dedicated Certificate with Custom Hostname: $10 per domain
per month
Includes all benefits mentioned above for Dedicated Certificates
Protects your domain, subdomains (*.example.com), as well as up to 50
additional hostnames Can extend protection beyond first-level
subdomains (*.www.example.com, not just *.example.com) Dedicated SSL
certificates typically provision within a few minutes but can take up
to 24 hours.
Full details here
The accepted answer works fine only if you are not using SSL. As mentioned by #ThorSummoner, cloudflare wildcard SSL certificate is only valid for your domain example.com and *.example.com. It is NOT valid for *.*.example.com (Sub Subdomains or fourth level subdomains).
In order to have SSL for your fourth level subdomains, you will have to be on a paid cloudflare plan and will also need to buy a dedicated SSL certificate from within cloudflare control panel.
Please refer to below pages for more info:
https://support.cloudflare.com/hc/en-us/articles/219453397-Can-I-use-CloudFlare-SSL-certificates-on-my-fourth-level-subdomain-
https://support.cloudflare.com/hc/en-us/articles/228009108-Dedicated-SSL-Certificates
You need to create the subdomains at your hosting provider first, then you would come to your CloudFlare DNS settings and enter in the DNS records so that it resolves.
CloudFlare doesn't support true subdomains (i.e., subzones with nameserver delegation). But it does support what you want, i.e. specific records within a subdomain served by the same zone.
Simply create your record as you would any other record, and use my.id as the name (note the dot.) Lookup will work as you would expect it.
I have my domain CNAME point to myapp-mynamespace.rhcloud.com however it throws this certificate error:
Doing rhc alias add proxy proxy.mynamespace.com would do the trick.
However, I just want to point arbitrary domain CNAME (like ww2 of xyz.com, abc.com or somedomain.com) to myapp-mynamespace.rhcloud.com
How do I get around this ssl issue, is it possible that when I point ww2 CNAME of xyz.com to my openshift app (myapp-mynamespace.rhcloud.com) it will not do https or ssl thing--just plain http.
You don't want a CNAME record, you want a web redirection, else the domain name will remain the one that points to rhcloud.com and the certificate will still be invalid for your web clients.
If you want to use SSL with your custom domain on OpenShift then you will need to upgrade to the Bronze or Silver plan and purchase an SSL certificate and install it for your alias.