Help setting up a CNAME record from Vercel

Ok so basically my situation is this:

I own “domain-x.dev”. It uses Vercel’s nameservers.
I own “domain-y.xyz”. It uses Cloudflare’s nameservers.

I want to create an Alias or CNAME record in my Vercel DNS records for “sub1.domain-x.dev” to basically point to the same thing as “domain-y.xyz”.

It is worth mentioning that I am using domain-y to tunnel traffic from a local server I am running. The website I set up for tunneling works well on “domain-y.xyz”. It has a valid SSL certificate generated by Cloudflare. My server also stores and sends an SSL origin server certificate using NGINX.

I have created the necessary DNS records (on Vercel’s side) but to no avail. I keep getting this error:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH”.

I have tried configuring settings on the Cloudflare dashboard for hours. Still nothing.

Any help is appreciated.

You need to use Cloudflare for SaaS to create a CNAME record to a domain that is proxied on Cloudflare:

Keep in mind that you can’t create CNAME records for apex domains, but only for subdomains. So unless Vercel support something like Cloudflare’s CNAME flattening, you need to use a subdomain.

1 Like

I have done this. I think because Vercel automatically manages their SSL certificates I am getting this error:

That error message tells you what to do to resolve it.

Either remove all CAA records or add one that allows the Google Trust Services pki.goog to issue certificates for your domain.

Google Trust Services | FAQ and contact.

1 Like

Thank you for your help!

With your advice, I have managed to successfully add my foreign host SSL custom host configuration.

I have now come to another issue.

The HTTPS tunnel I have set at domain-y.xyz works well.
I have added this record to my Vercel DNS records:

sub1 CNAME domain-y.xyz

The problem is I now get this error when I try to acces sub1.domain-x.dev (domain-x is the one on Vercel’s nameservers):

HTTP ERROR 404

I really don’t understand why this might be happening when domain-y.xyz works perfectly and the CNAME record has been created on Vercel’s nameservers.

Did you add the new domain to your server configuration?

1 Like

I have added the new domain to the server’s nginx config file, yes. No changes still.

I’ve run a nslookup on both domain-y.xyz and domain-x.dev and have gotten different results for the address. It does mention the CNAME record on domain-x.dev’s output.

I’ve also run a traceroute and this time they both end on the same address.

The 404 error would be served by your Origin server, so you need to find out why your server isn’t showing the site you expect to see.

1 Like

In the browser the domains don’t terminate to the same IP address.

CleanShot 2024-04-01 at 14.04.07@2x

Would this still point to the server being the issue here?

Yes, it would.

After some more investigation I’ve come to the conclusion that it is not an origin server issue.

The catch-all rule of this tunnel set is http_status:404. When I change the status error and try to connect to my Vercel domain the status error in the browser changes accordingly. I think it is reasonable to conclude that I am getting the 404 error from the catch-all rule, not my server.

That being said, I still don’t know why the CNAME record does not work as intended.

From what I can see, CF for SaaS will always end up using the catch all rule (I don’t have any domains outside Cloudflare, so I can’t test it myself right now).

It was mentioned here at the end:

1 Like

OH MY GOD. Finally. Thank you so much! IT WORKS!

I’ve set te catch all rule to “http://localhost:8080”, which is where draw.“domain-y”.xyz also points to (that is how I set up the tunnel).

1 Like

I think that should really be mentioned in the docs…

Any idea who I could contact for that @cloonan ? From my search, it seems this has tripped quite a few people already.

1 Like

+1 agree, thank you @Laudian @epic.network I have flagged this topic for my Documentation colleagues.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.