Custom subdomain is not working even though the CNAME is set up correctly. Currently when I open the site I am shown following error message: “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”, could their be some relation?
The nameservers for your domain aren’t replying via TCP, which might be what causes the problem:
dig +trace +nodnssec traindeals.acc-belgiantrain.be +tcp
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> +trace +nodnssec traindeals.acc-belgiantrain.be +tcp
;; global options: +cmd
. 6872 IN NS a.root-servers.net.
. 6872 IN NS f.root-servers.net.
. 6872 IN NS g.root-servers.net.
. 6872 IN NS b.root-servers.net.
. 6872 IN NS c.root-servers.net.
. 6872 IN NS k.root-servers.net.
. 6872 IN NS j.root-servers.net.
. 6872 IN NS d.root-servers.net.
. 6872 IN NS m.root-servers.net.
. 6872 IN NS h.root-servers.net.
. 6872 IN NS l.root-servers.net.
. 6872 IN NS i.root-servers.net.
. 6872 IN NS e.root-servers.net.
;; Received 239 bytes from 127.0.0.53#53(127.0.0.53) in 0 ms
be. 172800 IN NS y.nsset.be.
be. 172800 IN NS z.nsset.be.
be. 172800 IN NS c.nsset.be.
be. 172800 IN NS a.nsset.be.
be. 172800 IN NS d.nsset.be.
be. 172800 IN NS b.nsset.be.
;; Received 429 bytes from 202.12.27.33#53(m.root-servers.net) in 28 ms
acc-belgiantrain.be. 86400 IN NS ns2.belgiantrain.be.
acc-belgiantrain.be. 86400 IN NS ns1.belgiantrain.be.
;; Received 142 bytes from 2001:678:6c::1#53(d.nsset.be) in 32 ms
;; communications error to 185.180.44.4#53: timed out
;; communications error to 185.180.44.4#53: timed out
;; communications error to 185.180.44.4#53: timed out
;; Connection to 185.180.45.4#53(185.180.45.4) for traindeals.acc-belgiantrain.be failed: timed out.
;; no servers could be reached
It can’t go active if it’s not reachable. Cloudflare has to issue a cert for the hostname, and it can’t issue a cert if the site can’t return the .well-known value.
@sdayman I did mention the CAA thing to them as this was their response:
“As per DNS standard, CNAME with CAA record won’t work. In order to get this work, either we need to create “A” record or temporarily allowlist given CAA value in global domain level.”
I’m not sure what they mean here. Are they saying the problem is because you have a CNAME record that points to pages.dev? That doesn’t make sense, because I know that works.
Or are they saying they use a CNAME record for CAA? That wouldn’t make much sense, either, though I suppose that’s possible. If that’s it, then it may be worth attempting to create proper CAA records at your DNS:
If a domain name is a CNAME (also known as an alias) for another domain, then the certificate authority looks for the CAA record set at the CNAME target (just like any other DNS lookup). If no CAA record set is found, the certificate authority continues searching parent domains of the original domain name.
UPDATE: I think this is happening, please confirm @sdayman
CAA records at nmbs-advantage-platform-acc.pages.dev are requested (none found):
It seems like I can’t specify any CAA records for my Cloudflare pages project, I think that would resolve this issue at our end without requiring any other actions from the offshore team.
You are correct in your 1-3 assessment of why these CAA records are getting picked up.
Cloudflare only manages CAA records where you use Cloudflare for DNS. If you use Cloudflare for DNS and have CAA records added, the relevant ones for Cloudflare are added automatically based on the criteria here:
As you are using another DNS provider, you would need to update your CAA records on your apex domain to include those CAs used by Cloudflare.
You are welcome to open a request in Feature Request Submitting & Feedback to have Cloudflare add CAA records to pages.dev hostnames in future, but this is not something available at the moment.