How Do I Create Sub-Sub-Domain on Cloudflare DNS? - cloudflare

I've let cloudflare manage the DNS of my example.com
I have created id.example.com for country's specific customer. I've done it by created cname id with alias example.com
I need to create customer portal: my.id.example.com. How?

In Cloudflare, open the DNS records for domain.example
Create a A record for example.id and enter the IP where my.id.domain.example will be hosted, and add record
Setup the site my.id.domain.example at the IP you specified
If domain.example is on Cloudflare and the Cloudflare nameservers have propagated, the sub-sub domain propagation should be more or less instant
As correctly noted by ThorSummoner and user296526, this will work on the Cloudflare free plan if you aren't using SSL.
If you want to have a sub sub domain with SSL on Cloudflare, you need to a dedicated Cloudflare dedicated SSL certificate which is available as a paid plan. To quote from the Cloudflare site:
Cloudflare Dedicated Certificate with Custom Hostname: $10 per domain
per month
Includes all benefits mentioned above for Dedicated Certificates
Protects your domain, subdomains (*.example.com), as well as up to 50
additional hostnames Can extend protection beyond first-level
subdomains (*.www.example.com, not just *.example.com) Dedicated SSL
certificates typically provision within a few minutes but can take up
to 24 hours.
Full details here

The accepted answer works fine only if you are not using SSL. As mentioned by #ThorSummoner, cloudflare wildcard SSL certificate is only valid for your domain example.com and *.example.com. It is NOT valid for *.*.example.com (Sub Subdomains or fourth level subdomains).
In order to have SSL for your fourth level subdomains, you will have to be on a paid cloudflare plan and will also need to buy a dedicated SSL certificate from within cloudflare control panel.
Please refer to below pages for more info:
https://support.cloudflare.com/hc/en-us/articles/219453397-Can-I-use-CloudFlare-SSL-certificates-on-my-fourth-level-subdomain-
https://support.cloudflare.com/hc/en-us/articles/228009108-Dedicated-SSL-Certificates

You need to create the subdomains at your hosting provider first, then you would come to your CloudFlare DNS settings and enter in the DNS records so that it resolves.

CloudFlare doesn't support true subdomains (i.e., subzones with nameserver delegation). But it does support what you want, i.e. specific records within a subdomain served by the same zone.
Simply create your record as you would any other record, and use my.id as the name (note the dot.) Lookup will work as you would expect it.

Related

Heroku Automated Certificate Management failed with one domain

I am trying to get the SSL certification for my app with Heroku, but the Automated Certificate Management is failing for one of both domain names.
I created the dyno before March 2017, so I had to run heroku certs:auto:enable as explained here.
Then, heroku domains returns:
Domain Name DNS Record Type DNS Target
─────────────── ─────────────── ─────────────────────────────
example.com ALIAS or ANAME example.com.herokudns.com
www.example.com CNAME www.example.com.herokudns.com
This seems to be in line with what heroku expects.
Anyway, heroku certs:auto returns:
Domain Status
─────────────── ────────────
example.com Failing
www.example.com OK
I admit that I am quite illiterate for settings concerning domains, DNS and so on. Therefore, this might be a very simple mistake from my side. However, I read the Heroku troubleshooting documentation and also similar questions in SO such as a this one or this one and still have no clue what is wrong.
The fact that www.example.com is OK but example.com is failing just confuses me even more. And unfortunately, I received a notification email with no failure reason.
Namecheap
I guess the problem is either on Heroku or where I bought the domain. That is Namecheap.com.
There, at the Domain tab I have:
NAMESERVERS Namecheap BasicDNS
REDIRECT DOMAIN Source URL Destination
example.com http://www.example.com
And at the Advanced DNS tab:
Type Host Value TTL
------------- ----- ------------------------------- -------
CNAME Record www example.com.herokudns.com Automatic
TXT Record # google-site-verification... Automatic
URL Redirect Record # http://www.example.com/ Unmasked
What am I doing wrong?
Update
The issue seems to be due to Namecheap. I found the following ticket on Heroku:
Issue
User is having trouble pointing their root domain (aka apex
domain/naked domain) to their Heroku app, either with setting the
right DNS records, or accessing it over HTTPS.
Resolution
Root domains on Heroku require the use of "CNAME-like" records, often
referred to as ALIAS or ANAME records.
Unfortunately, a number of popular DNS hosts such as GoDaddy,
Namecheap, Bluehost, and others do not support these types of records.
Instead they tend to offer the following:
A records
URL redirects / forwarding
There are caveats with both of these options...
Surprisingly, I did not find any place where all the steps were explained clearly. What I did so far is:
Open an account with a DNS host that supports this. I took DNSimple. At the time of writing, prices start from 5€/month but there is a trial month for free.
Transfering the domain costs 14€/year, so I just pointed the name servers at Namecheap to DNSimple and added the domain to DNSimple to create the DNS records.
Then came the configuration on DNSimple. I followed the step 1 in the documentation to redirect HTTP to HTTPs; ignored the step 2, since Heroku's ACM had already done it; and for the step 3 the article Pointing the Domain Apex to Heroku was very helpful. I added manually an ALIAS record and I also added a CNAME record, like this:
Type Name Content
───── ─────────────── ───────────────────────
ALIAS example.commyapp.com.herokudns.com
CNAME www.example.commyapp.com.herokudns.com
At the beginning nothing was working and the browser showed the following error:
This site can’t be reached
www.example.com’s server IP address could not be found.
Checking the troubleshotting documentation I saw that the only possibility was the Name server propagation delay, so I waited. It felt like a very long time, but it actually took less than one hour until the site got online again.
However, the SSL certification keeps failing more than 48 hours later...
For future reference: after contacting Heroku support, they manually refreshed my certificate request and it was finally issued for my app...
Check the answer here especially the CloudFlare solution as it is free
Automated certificate management also provisions you a free SSL cert
from https everywhere. You don’t need to buy a cert.
However namecheap won’t work with ACM because they don’t allow an
“alias” record for your “apex” domain I.e. your domain with no
subdomain so https://example.com not https://www.example.com
Your options are switch to a dns registrar that supports an “alias”
record such as dnsimple. They charge $5 a month in addition to the
domain registration fee.
Or alternatively use a free cloudflare instance which comes with SSL.
If you already bought a cert there is a way to upload it to Heroku via
an SSL addon.
I use both DNSimple/Heroku ACM on some apps and cloudflare on some
others. Both are equally nice but cloudflare is free and gives you a
CDN too.
https://www.reddit.com/r/Heroku/comments/7wh5r4/setting_up_ssl_with_heroku_namecheap/

CloudFlare, free SSL and subdomains with www

I have a somedomain.com on CloudFlare with free SSL. And I have subdomains: eg. pl.somedomain.com.
SSL works on:
https://somedomain.com
https://www.somedomain.com
https://en.somedomain.com
https://pl.somedomain.com
but not works on:
https://www.pl.somedomain.com
https://www.fr.somedomain.com
So I am looking for some solution these subdomains work.
http://www.fr.somedomain.com redirects to https://www.fr.somedomain.com
and I have error.
Is any solution using .htaccess or Page Rules to do this?
This is a limitation of SSL in general. No browsers support multi-level wildcard certificates and no trusted CA will issue them (in SSL world www. is also counted as sub-domain). The free universal SSL certificate provided by Cloudflare supports the root and wildcard domain on a shared certificate. For more levels, dedicated certificates or custom host names a different certificate is needed.
If you are looking to secure multiple wildcard domains, but want to keep them all under one certificate, than you should go for the Multi-Domain Wildcard SSL certificates.
Multi-Domain Wildcard Certificates can secure both fully-qualified domain names and wildcard domains within their SAN entries. The coverage for a Multi-Domain wildcard certificate would look like this:
Common Name: domain.com
SAN 1: *.website.org
SAN 2: www.example.net
SAN 3: *.mail.site.com
SAN 4: address.edu
I am not sure if you can apply page rules to 2 level deep domain names, but give the following a try (based on tutorial from CloudFlare):
Redirect from pattern:
https://www.*.somedomain.com/*
to:
https://$1.somedomain.com/$2
On the CloudFlare website, they mentioned redirecting by using the redirect option in their control panel.
1. Go to Control panel and select page rules.
2. On page rule section add new URL and make sure to select forwarding option enabled.
3. Enter the destination URL and select the forwarding type.
For example,
Example forwarding to Google+:
Imagine you have a Google+ profile and you want to make it easy for anyone coming to get to simply by going to a URL like:
*www.example.com/+
*example.com/+
Give that a try, and if you are still getting this issue afterward, I advise checking this list of other SSL providers that is free.

SSL on wildcard subdomains with CloudFlare and Heroku

I'm working on a Ruby on Rails SaaS app with a custom subdomain for each company. When a company signs up, the user is redirected to her subdomain.myapp.io.
The app is hosted on Heroku and DNS are managed at CloudFlare. I use the free SSL feature provided by CloudFlare, which works as expected for https://myapp.io.
My issue is about having SSL active for the subdomains. I wonder if this is possible without buying a wildcard SSL certificate.
CloudFlare DNS setup:
myapp.io. 300 IN CNAME myapp.herokuapp.com.
*.myapp.io. 300 IN CNAME myapp.herokuapp.com.
Heroku domains setup:
myapp.io
*.myapp.io
This works, but without SSL on subdomains. It is not possible to use CloudFlare features (such as SSL Full) for wildcard subdomains (except for Entreprise plan users).
I think I need to buy a wildcard SSL certificate for my domain ($115/year) and add the SSL Endpoint Heroku add-on ($7/month). Am I wrong?
Short answer:
You can't have a free wildcard SSL (Full protection) for subdomains on CloudFlare (Free plan).
Long answer:
I mean using wildcard with CloudFlare (Free plan), CloudFlare proxy protection and acceleration are bypassed (no orange cloud) so your origin server SSL certificate will be used instead. So to enable SSL you need to add a CNAME record for each subdomain (the cloud icon should be orange).
Example:
foo.myapp.io. 300 IN CNAME myapp.herokuapp.com.
bar.myapp.io. 300 IN CNAME myapp.herokuapp.com.
(You don't need to add any record for custom domains in Heroku if you already have *.myapp.io)
[EDIT]
Maybe you can add DNS records dynamically via CloudFlare's API (https://api.cloudflare.com/#dns-records-for-a-zone-create-dns-record)
(I didn't try that...)
Workaround:
As you said:
Pay for CloudFlare Enterprise
Buy a wildcard SSL certificate + Heroku SSL SNI (https://devcenter.heroku.com/articles/ssl-beta)
Hope it will help.

EV SSL on main domain and Wildcard SSL for subdomains

Can I have EV SSL for my main domain (say www.example.com) and Wilcard SSL for my subdomains (say eb1.example.com, eb2.example2 etc)?
If yes, then can you please let me know how to configure it?
If not, then please suggest me alternate methods.
All the subdomains and the domain will be hosted on Amazon and will have one IP.
Yes, you can purchase an EV SSL Certificate for your main domain and wildcard SSL certificate for the sub domain names.
Please ensure that the Main domain has a dedicated IP Address and it is not shared with the sub domains.
You can have use multiple certificates at the same time which overlap in the subjects like in your case. To have multiple certificates for the same IP address the serve and client must support SNI. Most modern server and browsers do. But older browser like IE8 on XP do not and support within non-browser application is mixed.

ssl certificate for several domains, one IP

AFAIK, SSL is assigned to a single domain name (maybe several subdomains via wildcard).
On the other hand i heard that the webserver does not see the domain before it serves the ssl?
If I have multiple domains running as vhosts on one IP address:
Q1: Can the webserver serve the appropriate respective SSL to the sites?
Q2: Is there a way to have only one multi-domain SSL serving two domains on one IP?
Illuminate me out of confusion brought upon me by this seemingly self-contradictory quote:
Regular SSL Certificates are issued for a single FQDN (Fully Qualified
Domain Name). The domain using the certificate has to have its own
unique external IP address from which to be served. In practice, this
means that if you have multiple domains on a single IP address/server,
then you had to install a separate certificate on each domain you
wanted to secure.
The reason for this is the use of 'Host-Headers'. They allow a
web server to use a single IP address to serve many separate sites
with different FQDNs. They do this by identifying the incoming request
for a webpage, and routing it to the correct site accordingly.
When an SSL connection is initiated, the server must send a
certificate to the client - before it knows the host-header of the
request. The only identifying piece of data it has is the requested IP
address. As such, two or more sites on one IP address cannot use
different SSL certificates....
Q1> the web server doesn't need to know the domains embedded in an SSL cert. only the browser does since it's the one making sure the domain in the certificate matches the domain in the address bar. The web server just serves up the cert bound to the ip address, regardless of what domain is in the certificate.
Q2> what you describe is a SAN or UC certificate. They are designed to do what you stated, namely allow multiple domains to share one cert on one ip address. Check out this link on Subject alternative names for more info