Custom certificate for subdomain (repost)

akarjeker · November 19, 2020, 9:25pm

Hi,

I’m self-hosting a Ghost blogging site on AWS and use Cloudflare to manage my DNS. Ghost uses Mailgun to send out email newsletters. In order to enable HTTPS email tracking for opens/clicks/unsubscribes, I followed these instructions.

The SSL certificate I have from Ghost is issued by Let’s Encrypt. However my sending email is a subdomain (mg) of my actual domain and in order to enable tracking, I end up going into a second level subdomain (email). Based on the above instructions, it seems I need a 2nd level SSL certificate. It’s nearly the same issue as this user.

I purchased the Advanced Certificate manager. Can someone help me get the necessary 2nd level SSL certificate?

Thanks,
Alex

sdayman · November 19, 2020, 9:50pm

I think we can ignore the Ghost part of this, because that’s your main site and is already covered.

But you have a subdomain for Mailgun. What’s the format of the subdomain? Is it email.mg.example.com?

And why does it need to be proxied by Cloudflare? Wouldn’t a CNAME to Mailgun be enough?

akarjeker · November 20, 2020, 12:20am

Yes - the subdomain is email.mg.example.com. That’s correct.

The reason I believe I need an SSL proxied by Cloudflare is that apparently Mailgun doesn’t support HTTPS tracking links. So they recommend that I use Clouldflare’s CDN to do a workaround:

To understand why the use of a CDN is required for HTTPS tracking links, here’s a quick, high-level overview of how they work is needed.

Tracking links work by utilizing a CNAME that points to mailgun.org . Links in your email messages are then rewritten with this tracking hostname . When your recipients then click on those links, it first sends the request to mailgun.org , and we return a redirect to the original URL .

Since we do not support HTTPS connections to mailgun.org, a CDN is needed to fill the gap between the client and mailgun.org. Essentially, the client connects to the CDN via HTTPS , the CDN connects to mailgun.org via HTTP , and the CDN relays the response from mailgun.org to the client over HTTPS .

Source

Does that make sense?

sdayman · November 20, 2020, 2:07am

I have an ‘email.SUB’ CNAME for one of my domains, but it’s not proxied. Then again, I don’t use tracking links. As I recall, my SUB is part of the process. For example, it needs its own MX records that point to mailgun. So that CNAME has to be SUB.SUB.example.com.

So, yes, you’re stuck with needing ACM. The good news is that ACM lets you generate various certificates, so if you get it wrong, you can easily regenerate one. The process should be pretty self-explanatory, but you’d probably generate certs for:
example.com
www.example.com
mg.example.com
email.mg.example.com

akarjeker · November 20, 2020, 2:48am

Sounds good. Let’s Encrypt can’t do more than two levels, so I got a new set of certificates from DigiCert and it solved my problem.

system · November 21, 2020, 2:48am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Tracking mailgun emails SSL problem Security	11	4173	February 14, 2022
Custom certificate needed to cover subdomain Security dash-ssl-tls , dash-getting-started	3	2042	May 12, 2019
Mailgun SSL for email.mg.domain.edu Security	4	2963	July 14, 2021
Mailgun is Not Verifying CNAME with Proxy Turned OFF ( Set to DNS Only) Website, Application, Performance	3	979	July 22, 2023
SSL for 2nd level o higher Security	2	3009	May 9, 2020

Custom certificate for subdomain (repost)

Related topics