Gmail doesn't work after enabling FULL ssl strict


#1

I just changed the Crypto ssl settings from flexible to FULL Stict.

I have a gsuite business account and i am using a subdomain as my “shortcut” to reach gmail and google drive.
Eg. mail.website.com drive.website.com are the shortcuts.

Well, it seems that after this crypto change, both websites are no longer accessible:

If i turn crypto back to flexible, everything is all right.

I wonder why can’t i resolve the google address when Strict is enabled?

Note: i have the http -> https redirect enabled for all my subdomains.
Note 2: i also have another subdomain where i host a discourse forum, and that one works perfectly (again: https only) by using a LetsEncrypt certificate.


#2

Full (Strict) requires that your origin server either has valid CA signed certs for your domain or a cloudflare origin cert.

relevant:
https://support.google.com/a/answer/53340?hl=en

Note that if you’ve activated a secure protocol on your domain, Google Custom URL redirection does not work as it is not compatible with TLS/SSL redirection which forces encrypted browsing. The URL http://mail.domain.com is redirected to https://mail.domain.com instead of https://mail.google.com/a/domain.com.

Does https work if you don’t go through Cloudflare? Cloudflare’s strict SSL mode validates the cert the same way your browser does (unless you use cloudflare’s origin certs) so turning Cloudflare’s CDN off (:grey:) and trying to go to your origin server with your browser directly is a good way to test it.


#3

If i disable the cdn:

the mail is not accessible:

(look at what IPs are resolved)


#4

When you go to set up the mail custom domain in the google apps admin console the setting looks like this:


I don’t think it supports using https.
If you want https using Cloudflare for this thing you will need to use Flexible SSL. Also know if you do that then your emails will go from Google’s servers to Cloudflare over http.


#5

Its because of the http:at the start of the custom url?

In that case there is nothing to be done, except using flexible?

I found this: https://support.google.com/a/forum/AAAA034zvV8BN8kx1XqKf8/?hl=en

https://support.google.com/a/forum/AAAA034zvV8KnNc7HRLugo/?hl=en


#6

It seems they don’t support it. If you are an administrator that pays for a G Suite account you can suggest they add ssl support on custom domains as a feature.
https://goo.gl/M7pakJ
It’s actually pretty easy to do technically. All let’s encrypt needs you to do is to respond to an http request. Uptime robot supports SSL on custom domains by just putting Caddy in front of their requests.

The company I work for just uses the https://mail.google.com/a/domainname and doesn’t customize the URL. Is that something that works for you?


#7

It works, yes, but having the simpler and shorter version is more of an aid for us


#8

It works setting SSL to Full, not Strict, on those subdomains and then :orange: the record.


#9

unfortunately for me that still doesnt seem to work


#10

I think you can just go to gmail.com and sign in with your org account.
[email protected]


#11

Of course i can just login with the username and pass.
Of course i can select my user in the upper right of the screen (normal or business).
those always worked!

what i only wanted was to use the short form of mail.domain.com instead of the longer ways:

  • https://mail.google.com/a/domainname
  • gmail.com -> then change the user in upper right

as that is faster to type both for me and for some of my users.

This is my only usecase! I undestand that google doesn’t support https for mail yet, and i’ll create a feature request for that, as i feel it would be really useful.


I have tried both FULL strict and FULL no strict, both with :grey: and :orange: yet none worked.
The only thing that works (now and previously) is to use flexible and :orange:.

My only problem with that is that the first request to google servers is not encrypted and therefore could be hijacked (i assume that afterwards, after the redirect happens i only talk to google servers, cloudflare is no longer a part of this and hence i have full https – because the address i’m seeing in my browser is https://mail.google.com/mail/u/1/).


#12

Sorry, my bad! You are right, there is no way to use Full, I have it set to Flexible…


#13

Ah balls. So then it remains like this: hope that google will someday implement https for ghs.googlehosted.com, right?


#14

They would need to have a certificate for your domain there or at least support basic HTTPS, but I would assume this will be the least probable case…


#15

If all you want is a redirect you could use a page rule to redirect the mail subdomain to anything you want.
You only get 3 for free though… Alternatively you could run your own server with Full (Strict) that is configured to do the redirect.


#16

This topic was automatically closed after 14 days. New replies are no longer allowed.