Security ONLY on 'www' Configuration Alternative? GoDaddy does not support APEX record


#1

Right now, we manage ~400 live domains with LE certs but they only display on https://www.

We are validating via DNS records with an A record on the ‘www’ instance of the domain. However, GoDaddy does not support the APEX record. Every domain without the ‘www’ returns the following error:

This site can’t provide a secure connection
freeholdfordcars.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
HIDE DETAILS
Unsupported protocol
The client and server don’t support a common SSL protocol version or cipher suite.

We have thousands of domains with this registrar, and I would like to know if there is an alternate way to configure LE certs to support the bare domain to without implementing an APEX record?

Is there something we could do differently for the remaining domains that does not result in having to manually update the certs with each refresh of the certificate?


#2

Hi,

May I know why do you need to setup Apex to root domain?(i Believe that GoDaddy provide you an IP to point to instead of cname it)

Thank you.


#3

The certificate includes www.freeholdfordcars.com and freeholdfordcars.com, so it is valid for both names. What I see here is, that both names point to different servers.

Do you have the problem of not being able to create a CNAME to the Akamai CDN for the basic domain name (without www.)?


#4

Yes that is EXACTLY it. Apologies for the delay.


#5

Hi,

According to akamai, they have two options:

  1. Redirect your root to www
  2. Use their DNS so you can use cname on root domain

Thank you


#6

Could I have set Let’s Encrypt’s certificates up differently where I could have used a TXT record to validate both or something similar?


#7

@victoriavoight, you can certainly do that, but since you already have a certificate that covers the base domain name according to @bytecamp, getting a certificate via a different method won’t improve things here because the resulting certificate would be the same as the one you have now. The CNAME issue isn’t a flaw in the certificate itself, but more about how your web hosting is configured.


#8

I see… You’re saying its more an issue with the registrar?


#9

Yes, the inability to create a CNAME record is an issue with the DNS provider, which may be the domain registrar by default. But normally registrars would allow you to switch to a different DNS provider while keeping the same registrar, if you prefer. I think that’s what @stevenzhu was referring to by

(That is, to use Akamai’s own DNS service for your domain.)


#10

I’m confused by a few things here.

  1. Perhaps things changed, but IIRC you can’t have a CNAME as the APEX / root - that’s a violation of the spec. A handful of enterprise systems allow a CNAME-like behavior (Amazon’s Route53 calls it an “Alias”; Akamai has another name for it).

  2. I thought DNS Validation was only off TXT records, not A records.

Digging into this, it looks to me like this is happening:

The active cert handles both www.freeholdfordcars.com and freeholdfordcars.com

This bare domain freeholdfordcars.com is served off an IP address that is assigned to your company (I looked it up in ARIN):

But the www hostname is CNAMED onto the AKAMAI network

Since you’re serving the bare domain directly off your own network, and what looks like doing a HTTP redirect to the www. host, at least for now you could just install your certificate onto your own server (which is doing the redirect)


#11

Adding: When I was at CompanyX long ago, Akamai gave us an IP address on their network to handle an A record for our root domain. Maybe they don’t do that anymore and require CNAMES or being their DNS customer too. You may be able to get an IP address out of them if it’s just handling a redirect to www though.

I will give this warning about using them as a DNS customer as well: Pay very close attention to every line in their contract, and make them pitch you competitive to another vendor.

Akamai is very much intent on extracting the full potential value from their contract terms. The contract i had inherited has clauses that guaranteed them “billing” us on something like 90% of outbound traffic for our domains, in exchange for a “preferred” price that was over 4x all of their competitors. (My predecessor negotiated it, and had no idea what they were doing). When I mentioned we were looking at other vendors, I was politely reminded they would bill us for the minimum guaranteed traffic levels regardless of who services it.

My legal team wrote the notice of contract termination, and held onto it for several months until we were finally in the 30 day window where we could deliver it and terminate before the auto-renewal kicked in.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.