Cloudflare Wildcard subdomain to Vercel

Hey! We have our main website on domain.com (with web flow) and then want to create a wildcard subdomain which forwards to vercel so abc.domain.com or 123.domain.com forward to vercel

I have seen some articles on how to do this but when I have tried we keep getting an error “DNS_PROBE_FINISHED_NXDOMAIN

Does anyone have any idea how to do this?

Vercel seems to want you to us NS records but Cloudflare wont let you use NS records with wildcard

Did you set the wildcard up correctly?

What is the domain?

1 Like

We followed this but vercel does not let you do A record wildcard to them only NS

Reading their documentation that doesn’t appear to be the case.

:point_up_2:

1 Like

Sure the domain is happl.com

The docs are fine but stage two where it says about enable DNS you cant do on vercel as it needs the NS pointing to it and that part doesn’t seem to work

It doesn’t appear that you have a wildcard record configured (correctly) for your domain at Cloudflare, so you’ll want to doublecheck that.

The Vercel instructions indicate that _acme-challenge should be delegated to Vercel nameservers specified in their documentation if you’re attempting to use a wildcard with them. But they currently point to 2 other IP addresses on Amazon. You’ll want to delete those A records and replace them with NS records as specified in their documentation.

dig _acme-challenge.happl.com +short
76.76.21.61
76.76.21.241
1 Like

Ah my mistake we are actually using tahora.us to test before putting onto prod

Same issu(s).

dig _acme-challenge.tahora.us +short
76.76.21.93
76.76.21.164

Ensure the account you are making these changes from has the correct nameservers as neither the wildcard seem to be in place nor the appropriate NS delegation.

;; ANSWER SECTION:
tahora.us.		86400	IN	NS	randall.ns.cloudflare.com.
tahora.us.		86400	IN	NS	roxy.ns.cloudflare.com.
1 Like

Hi, giving Ben a hand with this.

The domain has no A records setup on cloudflare. Just some MX, TXT and CNAME, and the 2 NS entries for vercel. The ip’s returned from dig seem to be owned by Vercel. Vercel then says the configuration is wrong for the domain (because it’s trying to make an acme request to verify it?).

The vercel page is talking about this url should be accessible from cloudflares side http://tahora.us/.well-known/acme-challenge/. I thought this was cloudflare blocking the http request, tried turning off a bunch of stuff to allow it, but any type of request says it can’t find the host. Should the cloudflare side be resolving this acme request, that I can test with curl?

Cheers,
Lee

Cloudflare doesn’t return any NS records for the values specified in the Vercel documentation.

dig  _acme-challenge.tahora.us ns

; <<>> DiG 9.10.6 <<>> _acme-challenge.tahora.us ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43498
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;_acme-challenge.tahora.us.	IN	NS

It does return return A records for the values that are supposed to be delegated.

dig  _acme-challenge.tahora.us A

; <<>> DiG 9.10.6 <<>> _acme-challenge.tahora.us A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63677
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 0a 66 6f 72 20 44 4e 53 4b 45 59 20 75 73 2e 2c 20 69 64 20 3d 20 34 36 31 34 34 ("..for DNSKEY us., id = 46144")
;; QUESTION SECTION:
;_acme-challenge.tahora.us.	IN	A

;; ANSWER SECTION:
_acme-challenge.tahora.us. 600	IN	A	76.76.21.98
_acme-challenge.tahora.us. 600	IN	A	76.76.21.241

If true, you’re in the wrong account.

That would be for a host specified in your DNS. There is no record for your root domain, thus it doesn’t resolve / won’t have a certificate issued for it.

http://<YOUR_DOMAIN>/.well-known/acme-challenge/* from their documentation should really be * http://FQDN/.well-known/acme-challenge/* and don’t believe it applies to wildcard domains as there the acmechallenge used is DNS-01 challenge and not HTTP01 (the reason for the delegation of the NS records of the _acme-challenge subdomain).

Hey - we definitely are on the right one as did a test with http://test.tahora.us/ and it works (takes to google)

I guess the A record is being added by the vercel nameserver?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.