Custom certificate for subdomain (repost)


I’m self-hosting a Ghost blogging site on AWS and use Cloudflare to manage my DNS. Ghost uses Mailgun to send out email newsletters. In order to enable HTTPS email tracking for opens/clicks/unsubscribes, I followed these instructions.

The SSL certificate I have from Ghost is issued by Let’s Encrypt. However my sending email is a subdomain (mg) of my actual domain and in order to enable tracking, I end up going into a second level subdomain (email). Based on the above instructions, it seems I need a 2nd level SSL certificate. It’s nearly the same issue as this user.

I purchased the Advanced Certificate manager. Can someone help me get the necessary 2nd level SSL certificate?


I think we can ignore the Ghost part of this, because that’s your main site and is already covered.

But you have a subdomain for Mailgun. What’s the format of the subdomain? Is it

And why does it need to be proxied by Cloudflare? Wouldn’t a :grey: CNAME to Mailgun be enough?

Yes - the subdomain is That’s correct.

The reason I believe I need an SSL proxied by Cloudflare is that apparently Mailgun doesn’t support HTTPS tracking links. So they recommend that I use Clouldflare’s CDN to do a workaround:

To understand why the use of a CDN is required for HTTPS tracking links, here’s a quick, high-level overview of how they work is needed.

Tracking links work by utilizing a CNAME that points to . Links in your email messages are then rewritten with this tracking hostname . When your recipients then click on those links, it first sends the request to , and we return a redirect to the original URL .

Since we do not support HTTPS connections to, a CDN is needed to fill the gap between the client and Essentially, the client connects to the CDN via HTTPS , the CDN connects to via HTTP , and the CDN relays the response from to the client over HTTPS .


Does that make sense?

I have an ‘email.SUB’ CNAME for one of my domains, but it’s not proxied. Then again, I don’t use tracking links. As I recall, my SUB is part of the process. For example, it needs its own MX records that point to mailgun. So that CNAME has to be

So, yes, you’re stuck with needing ACM. The good news is that ACM lets you generate various certificates, so if you get it wrong, you can easily regenerate one. The process should be pretty self-explanatory, but you’d probably generate certs for:

Sounds good. Let’s Encrypt can’t do more than two levels, so I got a new set of certificates from DigiCert and it solved my problem.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.