Right now, we manage ~400 live domains with LE certs but they only display on https://www.
We are validating via DNS records with an A record on the ‘www’ instance of the domain. However, GoDaddy does not support the APEX record. Every domain without the ‘www’ returns the following error:
This site can’t provide a secure connection freeholdfordcars.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
HIDE DETAILS
Unsupported protocol
The client and server don’t support a common SSL protocol version or cipher suite.
We have thousands of domains with this registrar, and I would like to know if there is an alternate way to configure LE certs to support the bare domain to without implementing an APEX record?
Is there something we could do differently for the remaining domains that does not result in having to manually update the certs with each refresh of the certificate?
@victoriavoight, you can certainly do that, but since you already have a certificate that covers the base domain name according to @bytecamp, getting a certificate via a different method won’t improve things here because the resulting certificate would be the same as the one you have now. The CNAME issue isn’t a flaw in the certificate itself, but more about how your web hosting is configured.
Yes, the inability to create a CNAME record is an issue with the DNS provider, which may be the domain registrar by default. But normally registrars would allow you to switch to a different DNS provider while keeping the same registrar, if you prefer. I think that's what @stevenzhu was referring to by
(That is, to use Akamai's own DNS service for your domain.)
Perhaps things changed, but IIRC you can’t have a CNAME as the APEX / root - that’s a violation of the spec. A handful of enterprise systems allow a CNAME-like behavior (Amazon’s Route53 calls it an “Alias”; Akamai has another name for it).
I thought DNS Validation was only off TXT records, not A records.
Digging into this, it looks to me like this is happening:
This bare domain freeholdfordcars.com is served off an IP address that is assigned to your company (I looked it up in ARIN):
But the www hostname is CNAMED onto the AKAMAI network
Since you’re serving the bare domain directly off your own network, and what looks like doing a HTTP redirect to the www. host, at least for now you could just install your certificate onto your own server (which is doing the redirect)
Adding: When I was at CompanyX long ago, Akamai gave us an IP address on their network to handle an A record for our root domain. Maybe they don’t do that anymore and require CNAMES or being their DNS customer too. You may be able to get an IP address out of them if it’s just handling a redirect to www though.
I will give this warning about using them as a DNS customer as well: Pay very close attention to every line in their contract, and make them pitch you competitive to another vendor.
Akamai is very much intent on extracting the full potential value from their contract terms. The contract i had inherited has clauses that guaranteed them “billing” us on something like 90% of outbound traffic for our domains, in exchange for a “preferred” price that was over 4x all of their competitors. (My predecessor negotiated it, and had no idea what they were doing). When I mentioned we were looking at other vendors, I was politely reminded they would bill us for the minimum guaranteed traffic levels regardless of who services it.
My legal team wrote the notice of contract termination, and held onto it for several months until we were finally in the 30 day window where we could deliver it and terminate before the auto-renewal kicked in.