Pages custom subdomain CNAME not working

What is the name of the domain?

https://traindeals.acc-belgiantrain.be/

What is the error message?

Inactive (Error)

What is the issue you’re encountering

Custom subdomain is not working even though the CNAME is set up correctly. Currently when I open the site I am shown following error message: “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”, could their be some relation?

What steps have you taken to resolve the issue?

Removed + added the domain several times but it’s not helping. CNAME has been set for at least 30 hours: https://www.nslookup.io/domains/traindeals.acc-belgiantrain.be/dns-records/ and pointing to ‘nmbs-advantage-platform-acc.pages.dev’ which is correct. Am I still doing something incorrect? I used the docs mentioned at: Custom domains | Cloudflare Pages docs

What feature, service or problem is this related to?

DNS records

Screenshot of the error

The nameservers for your domain aren’t replying via TCP, which might be what causes the problem:

dig +trace +nodnssec traindeals.acc-belgiantrain.be +tcp

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> +trace +nodnssec traindeals.acc-belgiantrain.be +tcp
;; global options: +cmd
.                       6872    IN      NS      a.root-servers.net.
.                       6872    IN      NS      f.root-servers.net.
.                       6872    IN      NS      g.root-servers.net.
.                       6872    IN      NS      b.root-servers.net.
.                       6872    IN      NS      c.root-servers.net.
.                       6872    IN      NS      k.root-servers.net.
.                       6872    IN      NS      j.root-servers.net.
.                       6872    IN      NS      d.root-servers.net.
.                       6872    IN      NS      m.root-servers.net.
.                       6872    IN      NS      h.root-servers.net.
.                       6872    IN      NS      l.root-servers.net.
.                       6872    IN      NS      i.root-servers.net.
.                       6872    IN      NS      e.root-servers.net.
;; Received 239 bytes from 127.0.0.53#53(127.0.0.53) in 0 ms

be.                     172800  IN      NS      y.nsset.be.
be.                     172800  IN      NS      z.nsset.be.
be.                     172800  IN      NS      c.nsset.be.
be.                     172800  IN      NS      a.nsset.be.
be.                     172800  IN      NS      d.nsset.be.
be.                     172800  IN      NS      b.nsset.be.
;; Received 429 bytes from 202.12.27.33#53(m.root-servers.net) in 28 ms

acc-belgiantrain.be.    86400   IN      NS      ns2.belgiantrain.be.
acc-belgiantrain.be.    86400   IN      NS      ns1.belgiantrain.be.
;; Received 142 bytes from 2001:678:6c::1#53(d.nsset.be) in 32 ms

;; communications error to 185.180.44.4#53: timed out
;; communications error to 185.180.44.4#53: timed out
;; communications error to 185.180.44.4#53: timed out
;; Connection to 185.180.45.4#53(185.180.45.4) for traindeals.acc-belgiantrain.be failed: timed out.
;; no servers could be reached

@Laudian Is that a requirement for the CF check to work? DNS is managed by another team.

I don’t know if this is a specific requirement for Cloudflare Pages, but it is a requirement of the DNS standard and would likely cause problems.

@Laudian Thanks for the tip! Will give this information to the other team first thing tomorrow.

1 Like

It can’t go active if it’s not reachable. Cloudflare has to issue a cert for the hostname, and it can’t issue a cert if the site can’t return the .well-known value.

@sdayman so you are also saying it’s going to be the same TCP issue right? (just to be sure when I create a change request tomorrow :slight_smile: )

It also looks like you have a CAA record, and that may be restricting the certificate Pages is trying to issue.

https://dnschecker.org/#CAA/acc-belgiantrain.be

2 Likes

@sdayman I did mention the CAA thing to them as this was their response:

“As per DNS standard, CNAME with CAA record won’t work. In order to get this work, either we need to create “A” record or temporarily allowlist given CAA value in global domain level.”

I wonder if them adding the records specified at: Custom domains | Cloudflare Pages docs would be sufficient? I assume only letsencrypt and google are needed: Certificate authorities | Cloudflare SSL/TLS docs

I’m not sure what they mean here. Are they saying the problem is because you have a CNAME record that points to pages.dev? That doesn’t make sense, because I know that works.

Or are they saying they use a CNAME record for CAA? That wouldn’t make much sense, either, though I suppose that’s possible. If that’s it, then it may be worth attempting to create proper CAA records at your DNS:

Yea I am going to ask them to add those records I as I can see them already having 2 CAA records:

@sdayman, just to be clear, when a CNAME is configured, the CAA of the “host” are still considered, right?

Thanks for all the help, will update the post with their feedback/actions :wink:

@sdayman I just read the following at https://sslmate.com/caa/about:

If a domain name is a CNAME (also known as an alias) for another domain, then the certificate authority looks for the CAA record set at the CNAME target (just like any other DNS lookup). If no CAA record set is found, the certificate authority continues searching parent domains of the original domain name.

UPDATE: I think this is happening, please confirm @sdayman

  1. CAA records at nmbs-advantage-platform-acc.pages.dev are requested (none found):

  1. CAA records at traindeals.acc-belgiantrain.be are requested (none found):

  1. CAA records at acc-belgiantrain.be are requested + used:

It seems like I can’t specify any CAA records for my Cloudflare pages project, I think that would resolve this issue at our end without requiring any other actions from the offshore team.

You are correct in your 1-3 assessment of why these CAA records are getting picked up.

Cloudflare only manages CAA records where you use Cloudflare for DNS. If you use Cloudflare for DNS and have CAA records added, the relevant ones for Cloudflare are added automatically based on the criteria here:

As you are using another DNS provider, you would need to update your CAA records on your apex domain to include those CAs used by Cloudflare.

You are welcome to open a request in Feature Request Submitting & Feedback to have Cloudflare add CAA records to pages.dev hostnames in future, but this is not something available at the moment.

3 Likes

Thanks everyone for all the help, this makes things crystal clear for me to explain tomorrow morning :wink:

Also in case anyone still needs more context, I got some great answers over on discord from some CF employees: Discord

1 Like

@sdayman @Laudian I got follow response regarding the TCP change request:

“TCP/53 won’t be required once you have a CAA record. Also, keeping TCP/53 DNS is vulnerable, as it can cause the system to go down.”

  1. Is this the case, is there a risk of opening up the TCP port?
  2. Is there a way to find the .well-known URL, I am having trouble tracking it down.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.