No redirect or SSL on subdomain

I’m setting up an online bookstore and came across Revue yesterday, which I think would be a good way to manage my newsletters and integrate with Twitter, but it does not have SSL.

I have Cloudflare setup on my website blackdragonbook.co.uk (currenlty in ‘coming soon’ mode) and Revue instructs that if I add a CNAME redirecting a sub domain of ‘newsletter’ to www.getrevue.co then the connection should become secure (How to make your custom domain secure with SSL | Revue Help Center).

However, I get this error:

An error occurred during a connection to newsletter.blackdragonbooks.co.uk. SSL peer has no certificate for the requested DNS name.

Error code: SSL_ERROR_UNRECOGNIZED_NAME_ALERT

I can go to http://newsletter.blackdragonbooks.co.uk and it loads, it does not redirect to https though the option is enabled. When I manually type https I get the above error.

Anybody have any ideas?

Thanks,
John

Forgot to add, my CNAME is also proxied (orange).

www.getrevue.co does not use Cloudflare.

dig ns getrevue.co +short
ns34.domaincontrol.com.
ns33.domaincontrol.com.
2 Likes

So their instructions at How to make your custom domain secure with SSL | Revue Help Center are useless?

Brilliant, I guess I’ll be disabling that :slight_smile:

I assume step 1 to using Cloudflare with their service was to move your domain to using Cloudflare. Since that hasn’t been done I can’t comment on the rest of their steps.

Edit: Just read the link… it’s step 3 actually. So you need to complete step 3 before moving on to other steps.

I’ve already set my nameservers to harmony.ns.cloudflare.com and rocco.ns.cloudflare.com

If you’ve made the change at GoDaddy it is not being reflected yet…

Domain Name: GETREVUE.CO
Registry Domain ID: D64532363-CO
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: https://www.godaddy.com
Updated Date: 2019-05-16T00:40:06Z
Creation Date: 2015-01-20T15:26:36Z
Registrar Registration Expiration Date: 2022-01-19T23:59:59Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: ok https://icann.org/epp#ok
Registrant Organization: Revue Holding BV
Registrant State/Province: ZH
Registrant Country: NL
Registrant Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=GETREVUE.CO
Tech Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=GETREVUE.CO
Admin Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=GETREVUE.CO
Name Server: NS33.DOMAINCONTROL.COM
Name Server: NS34.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2021-11-19T12:19:32Z <<<

I’m with NameCheap and that shows as having Clouflare DNS.

Revue is a service that Twitter bought. I cannot change their DNS, obviously, but according to their instructions if I setup newsletter.blackdragonbooks.co.uk with a CNAME of newsletter redirected to www.getrevue.co then I should get SSL from Cloudflare making the email form secure.

Hi @user161. Seems like your NS are indeed propagated now: DNS Checker - DNS Check Propagation Tool

The problem could be your SSL settings, or a misstake on getrevue.co.

To solve this you could set your SSL Mode to “Full” or “Flexible” but keep in mind that with flexible the connection between Cloudflare and the origin is not encrypted now, even if it seems to be.

Also keep in mind that Cloudflare can not guarantee, that tutorials which are not official Cloudflare tutorials will work, nor that they will work in the future. As you are using a “getrevue.co” service you definitely should ask them for support.

Anyway you get a Error 525 here: https://newsletter.blackdragonbooks.co.uk/ which the docs help you to solve: Community Tip - Fixing Error 525: SSL handshake failed

EDIT:

congrats, its working now.

Hi, thanks, I’ve take a look an play with the settings. I’m not sure the guide they provided is accurate.

When I use the DNS test on my subdomain I get a return for A, but both CNAME and NS fail.

I’m still not getting the site up as working though I have added a rule to make the subdomain flexible, if this works I’ll try and up it to Full.

It works:

Thanks, this will make your setup more secure. If it works with Full stay at “Full” as somehow “Full Strict” does not work, even if they have a valid SSL Cert.

Awesome. Thank you!

Hardly. The OP simply has a broken and insecure site at this point.

Congratulations to that :roll_eyes:

@user161 is your subdomain (newsletter.blackdragonbooks.co.uk) currently in SSL Mode “Flexible” or “Full”?

1 Like

I’ve tried setting the subdomain to Flexible with a rule (just as a test) but I’ve still had no joy. The main domain is Strict.

When I type http it doesn’t redirect to https on the subdomain but it does on the main domain. The CNAME doesn’t work on the subdomain when I use the DNS Checker, neither does NS, but it shows when I select A (which I’m guessing is Cloudflare flattening the CNAME to an IP and therefore an A record)

Yep, and that’s why you have aforementioned broken site.

The subdomain hasn’t worked on Strict, Full, or Flexible for some reason. I’m going to remove the rule and send it back to strict. If it comes down to it I can use the default Revue domain (which is secure) but I’d rather use my own subdomain because it’s more professional.

I would unproxy the record for now and discuss with your host what you need to do in order to secure your site. As it is right now you have an insecure site and things are on HTTP.

I am afraid your host really is your primary contact here. Mentioned article really has all the details on that.

The main problem here is: the cert on www.getrevue.co is not valid for your domain. The problem is on their side now. They must add your domain / subdomain to their allowed list so your domain ends up in the cert so it can be validated with their cert on www.getrevue.co.

After this change SSL Settings to “Full Strict” :slight_smile:

Cheers, I’ve sent them a support request. If it comes down to it, I’ll just use there default Newsletter signup page.