Expire and Disable HSTS

Hello!

  • I enabled HSTS for my site, but this created a conflict with my email url’s via mailgun.
  • So I disabled the HSTS on cloudflare by first switching it off, then later setting age to 0.
  • However, when I visit the urls, they still get an error “this is not a secure connection”
  • I know that this is hsts related because it says it at the bottom of the error. “this site cannot load because it uses HSTS”
  • I was able to delete the hsts in my own chrome browser, but I am worried that other users of my site will get an error.

How do I make sure that the HSTS is cleared from all my user’s browsers? I don’t remember the initial max age I put in was, but I also don’t want to wait.

Any advice would be so appreciated!

Chris

Sorry, but you can’t. That’s part of the idea of the HSTS header and the TTL. You’ve told browsers that for the next X period of months, this domain will be HTTPS only. At this point, there’s really no reason for no HTTPS.

Ar you saying that the site your email URLs don’t support HTTPS?

I have a Mailgun setup and also have HSTS turned on. I believe they have multiple setup options, in case one of them is causing issues.

Hi! Thanks so much for your reply. A couple of questions:

  • When and where does this affect user’s browsers? Only those that have visited the site with HSTS enabled? Or all users regardless of if they recently visited?
  • So if HSTS was set for 6 months, then it would affect those users for 6 months? Even if I changed the expiration to HSTS to 0 recently?
  • Yes, mailgun only works with http unfortunately, but they have a workaround for https. I just need to work it out with them.

Thanks so much!
Chris

  1. It affects returning visitors. Unless you put yourself on the HSTS Preload List (you can Google that) in which case it’s semi-permanent.
  2. It will affect those users for 6 months since their last visit. You’ve essentially told them to only use HTTPS for that period of time. They won’t check again until that time expires because HSTS is a security commitment. You would have to let them know over HTTPS if you’ve changed your mind before you drop HTTPS. They won’t be able to connect to HTTP otherwise for the next six months.
  3. No HTTP? That’s dumb. I’m sure they have a technical reason for it, but it’s not ok.
1 Like

This is not the case. HSTS is checked every time it is seen. Setting a HSTS max-age=0 over a HTTPS connection has the special meaning of “I’ve made a huge mistake, forget what I told you earlier”.

1 Like

That makes sense…but only if you still have HTTPS as you said. I’ll update my response.

1 Like

I’m guessing the OP set “includeSubdomains”, and is using a custom subdomain for MG. The max-age=0 on the root would act as a knockout.

Frankly, there should be no issue fixing MailGun. But to each their own.

2 Likes

Mailgun does have a way to enable HTTPS: https://help.mailgun.com/hc/en-us/articles/360011566033-How-to-Enable-HTTPS-Tracking-Links

It’s silly and insecure, but it is a workaround.

You also have the option of not using Mailgun tracking in the first place (that’s what I do). Note that this setup is only needed for tracking, not for actually sending or receiving mail!

Thank you all for your advice! Really appreciate it.

I followed the Mailgun instructions to set up https:// and they enabled on their side. Now all their links begin with https: , however I am getting a new error:

Your connection is not private: NET::ERR_CERT_COMMON_NAME_INVALID (Full text below)

I researched a little bit and it looks like this could be an issue with SSL certificate and cloudflare? The CNAME points to mailgun.org and is DNS only. But maybe this url is not working with cloudflare?

Any help would be much appreciated! (Step by step would be great - because I’m pretty much a novice at this.)

Many thanks to you all,
Chris

NET::ERR_CERT_COMMON_NAME_INVALID
Subject: mailgun.org

Issuer: R3

Expires on: Dec 21, 2021

Current date: Oct 26, 2021

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIEbTCCA1WgAwIBAgISA5/HUJ6El2ZxESCSbzLRBgu5MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MjIxMzM0MThaFw0yMTEyMjExMzM0MTdaMBYxFDASBgNVBAMT
C21haWxndW4ub3JnMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEufmZJ0rKZXQot7qy
VKxKKV6mbvIRNfuOadFYmT/vtfk1ktZ1Y+5t08zuXdSUKkM0fgJSX2+G302YpE40
BmXxvY9Wxv76jdeUiIXasD9usP7+dBGx2ic5vnHhb/1tpbLmo4ICRTCCAkEwDgYD
VR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBQUyTAEZfHtmmYT8ZAC8H4LKC9VxjAfBgNVHSME
GDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB
BQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov
L3IzLmkubGVuY3Iub3JnLzAWBgNVHREEDzANggttYWlsZ3VuLm9yZzBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2
AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABfA3tw3YAAAQDAEcw
RQIhAL2F9xoWT66FZOIBgJJY5I7/X+iwAwJwa5CXmiglVqV2AiBF/raOnb+jVrD8
Uz28MJgEP28plZaLl45d+FsHXQ195QB1AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/
LmqXaJl+IvDXAAABfA3txLQAAAQDAEYwRAIgfBLcnNUY3hzsO2QSUU56yk9trG9M
JhAKm4MlDvgQyzsCIGN6AzRzzG12aaXRuSTU/TMM9LnZKZjec2koqzcH4vqKMA0G
CSqGSIb3DQEBCwUAA4IBAQB3dfB7ZRjBgcKareT6sAFqtetHyTAbOkBVdH7Ceu2Z
Y4xnFhmwZ20fuuNrVdUSr7fNXz+y9uEGGyv4Jez7j9Nr9aeeRVfXrgoJaKWE+oDA
o/eHouZjJTbReT5qUFsfEKmco+atP5Ny/m235OymDeiwqOLfiBbzrW4LzEgWuKWl
fCHtFTESUA5nbGWJupg4tQcmb9Y5yC9lXSA1PWCYnnsV+zg0fV4cIf+s5/xR/eCC
N+K4AlatwrKeircKZLjJ1BCTpfSmu1C9q5oiWAyphPElYqGC00Tj1B3XsWPIDIUu
ajFHRNOzhvFia5QTddZOOWpRqIIticgZrD9NLmEYzqJU
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

Certificate Transparency:

SCT Cloudflare ‘Nimbus2021’ Log (Embedded in certificate, Verified)

SCT Google ‘Xenon2021’ log (Embedded in certificate, Verified)

That’s not a surprise, as it requires the provider to re-provision the cert for that specific hostname.

I’d hate to recommend this, but it may be the only way around:
Page Rule to match your sub.example.com/*
And a Setting of SSL Mode: Full (not strict)

What is the hostname?

If they have not provisioned the certificate yet, then they may also not have provisioned a hostname on their side, so the solution proposed by @sdayman may not work either.

Wha…? It has a CN…it just doesn’t match the CNAME record.

The hostname is “mailgun.org” and my site is gogalora.com. The subdomain is email.mg.gogalora.com.

Mailgun wrote back and said: “We have reset your web scheme on our side to reapply HTTPS. Would you kindly retry sending mail to see if the links work this time?”

I tried and it didn’t work. ;/ I can add the page rule… would I add email.mg.gogalora.com/* and then SSL Mode: Full ? Like this:

Oh…that’s not looking great, either. If it’s a :orange: Proxied DNS record, then you’ll most likely run into the issue down below. If it’s :grey: DNS Only, then nothing you do here will affect it.

It’s DNS only… At this point I might just turn off the Mailgun email tracking because it’s affecting our users right now. Unless you guys have any other ideas?

Thanks so much - really appreciate it!

It’s really something that Mailgun should take care of. I know it’s possible, as many services offer CNAMES with SSL. Even UptimeRobot used to let me cname a custom hostname to stats.uptimerobot.com with HTTPS.

There is no certificate for email.mg.gogalora.com. crt.sh | gogalora.com

If you are not on a Mailgun Scale or Enterprise plan, then you need to use a single level hostname, like mg.gogalora.com or email-mg.gogalora.com. Alternatively, you can subscribe to Cloudflare ACM, and deploy a certificate for email.mg.gogalora.com.

1 Like

Okay @michael - I just added Cloudflare ACM and added an edge certificate for email.mg.gogalora.com. Is there anything else I need to do? How do I retest - do I just wait and try to load an old email url?

Thanks!
Chris

That doesn’t look like the cert’s been added yet.