How To Enable A Link Tracking Sub Domain (Surely I'm Not The Only One Who's Wanted To Do This!)

Hi

I’m trying to enable a link tracking subdomain via Let’s Encrypt SSL.

My links go via:
https://links.lab41.co/prod/c00184b9-f5e1-407e-8a2e-0743a9fa99de/62e87171-a443-4838-9b41-ee9bfb724d44/https%3A%2F%2Ftwitter.com%2Fcapetowninsider

But links.lab41.co is not enabled in the SSL and I have HSTS so I get a secure error.

How do I enable ‘links’ and other subdomains on my SSL so that the link tracking works? (I’m using the free Let’s Encrypt that’s on my server)

Any help is greatly appreciated!

You could create a new certificate for this domain, e.g.:

sudo certbot run --apache -d links.lab41.co

Or you could expand your existing certificate to include this domain:

sudo certbot run --cert-name lab41.co --expand -d links.lab41.co

Use certbot certificates to list the certificates on your server and identify the correct certificate name.

The choice is yours as long as you have less than 20 subdomains. If you’re approaching that many you should familiarize yourself with the rate limits and combine certificates as much as possible.

Hi

I’m not a tech person, is there any way to do it within my cpanel? If so, how?

Regards
Alex

Hi

I’ve asked hosting and they have said: However, this ‘certbot’ utility is not installed on your VPS.

Also, I am unable to install SSL for the given domains as they are pointing to remote servers.
We can install lets encrypt SSL for those domains by creating them as sub-domains, however it is also not possible due to the existing DNS entries (CNAME records) for those domains.

Surely there is an easier way?

It’s very unusual that you can reconfigure remote servers, well, remotely, unless you have specific system administration tools set up to facilitate this. Where are those remote servers and how are they administered? You can probably most readily get them set up with HTTPS and Let’s Encrypt certificates through their own administrative interfaces.

As an analogy, EFF (where I work) has a large number of different servers, such as www.eff.org, supporters.eff.org, and mail2.eff.org. All of them do have certificates, but our system administrators most likely had to go and perform administrative tasks directly on each separate server in order to get those certificates issued and installed. That’s the common case where multiple servers are installed. There is no unified “eff.org control panel” that would allow remotely controlling all of these different servers just because they happen to have names under eff.org and be used by the same organization.

There are organizations that have managed to set up this kind of highly centralized server administration, but it took specific effort on their part at the outset and extra engineering, as well as installing some kind of remote-control software onto all of the servers. If you haven’t done this, you’re probably in the default condition where every server is going to managed entirely independently of every other server, notwithstanding the fact that they have related domain names.

The ability to designate a server as having a particular domain name is something that you can do unilaterally within a DNS zone; the server doesn’t have to know about that or cooperate with it. For example, you could choose to give www.whitehouse.gov or www.google.com an alias under your lab41.co domain name (perhaps whitehouse.lab41.co or google.lab41.co or something), and then their servers could be reached at those names! However, doing this wouldn’t mean that you could then administer those servers or change the content that they serve. It would make their administrators eligible to receive domain-validated certificates for the lab41.co subdomains that you gave them, but you wouldn’t be able to make those servers install any such certificates without the cooperation of their administrators.

Hi Schoen

Thanks for the detailed response!

Let me step back a few steps because I might have used the wrong term.
I have a VPS with a domain on it. Lab41.co
It has a Let’s Encrypt option in the Cpanel which I’ve enabled for the domain.

Now I want to add link/click tracking subdomain to lab41.co. E.g. track.lab41.co or links.lab41.co
(Like This: http://docs.mailshake.com/article/138-how-do-i-customize-link-tracking)

  • Create a new DNS record (example: links.mycompany.com)
  • Choose CNAME as the type of record
    
  • In the value textbox, enter tracking.mailshake.com
    

I’ve done all of that and it works but when I click on the links I get an insecure warning. So I need to add the subdomain to the Lets Encrypt certificate but can’t work out how to do that!

Does that clarify it a little?

Many Thanks
Alex

Hi @Lab41,

It does make sense, but unfortunately it confirms that what I said before is applicable. Only the person who runs or administers a server can install certificates on that server. Even though you have designated this link-tracking service by a subdomain of your own domain name, that does not give you the administrative rights to install certificates on that service. Usually, setting up HTTPS on a server (including adding or changing certificates) requires the ability to log into that server as an administrator and/or run software on that server.

The relationship between you and the link-tracking service does not give you this ability. (You can create a certificate for the link tracking service using a private key of your own, for example using the DNS-01 authentication method, but once you have that certificate you still have no way to transfer the private key or certificate onto the server, or to configure the server to start using them!)

Any service like this that answers web requests on behalf of customers or subscribers ought to work out its own plan for how it will support HTTPS. (This has been a big problem for ad servers, some of which are not HTTPS-capable at all, despite extensive pleading, lobbying, and cajoling from newspapers and magazines that use these ad services…) That may include some kind of coordination with the subscriber around certificate issuance, or the service might be able to get certificates on its own after the subdomain delegation is in place—for example by running its own Let’s Encrypt client software. But again, there is nothing that you can do at a technical level to force this to happen!

1 Like

Hi Shoen

Thanks for taking the time to help out. I really appreciate it.

  1. So is the issue with tracking.mailshake.com not having SSL?
  2. Or is it because of links.lab41.co needs a SSL?
    (If so we can add this to our certificate but it’s still not working https://www.sslshopper.com/ssl-checker.html?hostname=links.lab41.co)
    but when viewed https://links.lab41.co/prod/c00184b9-f5e1-407e-8a2e-0743a9fa99de/62e87171-a443-4838-9b41-ee9bfb724d44/https%3A%2F%2Ftwitter.com%2Fcapetowninsider2 it’s not working.

I think this is what’s confusing me.

Kind Regards
Alex

Correct.

Generally domains that have HSTS host these kinds of things on a separate domain like lab41mail.co or a different suffix, like lab41.click (which is available for $12.50 right now :grinning:).

Hi

  1. So I need to contact mailshake and ask them to enable https for tracking.mailshake.com?
  2. I’m confused by what you’re saying. :frowning: On the one hand you’re saying mailshake must have https on it’s tracking domain but then you’re saying I should buy another domain like lab41mail.co and enable https on there? But I have links.lab41.co and it has https already.

Just struggling to find a solution to this!

If they can do that, that would be ideal.

I’m saying if they cannot support HTTPS (which is unfortunately common) your only recourse is to not use it, which you cannot do on lab41.co due to HTTP Strict Transport Security (HSTS) with includeSubdomains being enabled.

People in this situation often just use a separate domain name without HSTS enabled for all these random services in case they don’t support SSL. There are also security benefits to this approach, such as preventing these third-party services from being able to see the cookies of your main domain.

1 Like

Thanks again for taking the time to help out! It’s much appreciated!

  1. Will ask them.
  2. Can you explain a little more People in this situation often just use a separate domain name without HSTS enabled for all these random services in case they don’t support SSL.
    So am I correct in saying I’d use another domain for link tracking? E.g. lab-41.com and make sure this domain has no https?
  3. Is there a way to exclude a subdomain from HSTS?

Make sure it doesn’t use HTTP Strict Transport Security (HSTS), which forces HTTPS. Particularly the includeSubdomains directive.

It would be totally safe for e.g. provider2.secondarydomain.com to use HTTPS/SSL when provider1.secondarydomain.com still can’t.

You could remove includeSubdomains from the Strict-Transport-Security header sent by the main lab41.co domain, and then opt-in any subdomains by sending the Strict-Transport-Security header from them as well.

But this header sets a max-age value of 1 year, so browsers could cache it for a year without noticing it changed.

Use HTTP Strict Transport Security

Header set Strict-Transport-Security: “max-age=31536000 ; includeSubDomains ;” env=HTTPS

END HTTP Strict Transport Security

Is what I have in my htaccess.

How do I exclude subdomains?

Remove includeSubDomains :slight_smile:

1 Like

I was trying to explain that the existence of a certificate covering a particular name does not mean that that certificate will be used by a particular server that that name is pointed at. Because you own lab41.co, you are eligible to get a certificate for links.lab41.co (including a certificate that covers that name as well as other names). Certificates only work when they are installed (along with the corresponding private key) on servers. They have no effect just by existing, or just by being installed on other servers.

You could ask the people who run tracking.mailshake.com to install your links.lab41.co certificate (and private key, which you would have to give them as well), and if they did, it work, but they’re almost certainly not set up to do this kind of thing routinely—and they are the only ones who are in a position to do it.

A certificate doesn’t mean that a site or a connection to a site “is secure” in the abstract. For example, I can get a certificate for my own site and then not use HTTPS on my site at all. Then connections to my site are not secure, even though the certificate implies that maybe they would be under appropriate circumstances.

The certificate means that people who trust the certificate authority can accept that a particular encryption key really belongs to the person who runs that site. If that encryption key is not actually being used by the site, the certificate is totally irrelevant from the browser’s point of view, like if a health insurer wrote a letter pre-authorizing a subscriber to consult any physician in Zimbabwe, that would not actually cause the subscriber to travel to Zimbabwe to consult physicians, unless the subscriber also wanted to do so.

(Edit) Or, a more exact analogy might be:

I want my friend to be able to visit my secure data center, and I’m allowed to authorize people to do that, so I issue him an access card, which requires a PIN. I keep the access card in a drawer my office and don’t tell him the PIN.

Later on, my friend calls up and says “Hey, I heard you wanted me to go visit the data center?” and I reply “Of course, I’ve already issued you an access card, so you’re totally authorized to go there at any time!”.

He says “Well, I don’t actually have the access card.” and I say “The access card has your name on it, it lets you into the data center, and you’re totally authorized to go in to the data center whenever you want!”.

Thanks. Those analogies helped! I’m more of a designer than technical whizz so it makes it much easier to follow.

Quite new to SSL so this has been a great learning curve. Thanks for taking the time to detail it so carefully!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.