G Suite Custom URLs

sdaouk · October 15, 2019, 7:59pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mango wave.com

I ran this command: requesting a custom urls “mail.mangowave.com”, “calendar.mangowave.com”, or “drive.mangowave.com”

It produced this output: ERR_CONNECTION_CLOSED because domains were loaded using https

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: fastcomet.com

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

my website is running correctly but it seems the issue is mainly with Safari and Chrome browsers; when accessing the custom urls (“mail.mangowave.com”, “calendar.mangowave.com”, or “drive.mangowave.com”) I get the following error: ERR_CONNECTION_CLOSED.

However, when I access them in Microsoft Edge browser, it loads correctly. It seems that this has to do with the fact that Safari and Chrome insist on loading the sites with https:// instead http:// even when I type it out it’s redirecting to https.

Any idea as to why?

schoen · October 15, 2019, 8:10pm

Hi @sdaouk,

Your main domain sends this header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The meaning of that header is that you want to request all browsers in the world to request all subdomains of mangowave.com via HTTPS only. If that’s not the behavior that you want, you should exclude includeSubDomains or not send this HSTS header at all.

sdaouk · October 16, 2019, 2:35pm

I made the changes and now my domain according to: https://hstspreload.org doesn’t have HSTS preloaded but the other subdomains do? Any ideas?

stevenzhu · October 16, 2019, 4:32pm

Hi @sdaouk,

According to Google GSuite help article, it's currently impossible to obtain a certificate for your GSuite custom domains (links / urls) when you point the server directly onto Google CNAMEs.

Source:Customize a Google Workspace service URL - Google Workspace Admin Help

Your domain is set up with a security measure, such as HTTP Strict Transport Security, which requires HTTPS connections. The Admin console supports only HTTP connections for custom URLS, so you can't customize service addresses for your domain. You can check the HTTP Strict Transport Security status for your domain at https://hstspreload.org.

Thank you

maxh · October 18, 2019, 5:15am

The custom domains Google sets up are just redirects from https://‍[service].[yourdomain]/ to
https://‍[service].google.com/‍a/‍[yourdomain]. You can have your own server do that instead. (Yes,it should be handled by Google, but doing it yourself is a one-time mild annoyance.)

system · November 17, 2019, 5:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.