R2 SSL Not Working On Third Level Subdomain

I’ve set up an R2 bucket on surveys.helpdesk.support.rydercragie.com and it isn’t working with SSL. Other subdomains like static.camp-fox.rydercragie.com set up in the same way does work. So I’m guessing R2 only supports first level and second level and I’d need to buy ACM to use it with third levels? Please confirm and I will purchase if needed.

1 Like

+1 yes, are you seeing a subdomain too deep error?

1 Like

This is the error I get:

Cipher mismatch? We’ve not seen that one around here for a while, some idea in this tip…although I am not getting the same error, I get an nxdomain error :frowning:

If it’s not supposed to work without ACM then that’s fine. I would just like it to have told me this.

I’ll use another subdomain that’s only one level. Thanks.

What I don’t understand is I can set up test1.test1.test1.rydercragie.com and test.test.test.rydercragie.com on the same bucket and it’ll issue an SSL for it. There’s something that it doesn’t like about surveys.helpdesk.support.rydercragie.com. Maybe it’s because helpdesk.support.rydercragie.com and support.rydercragie.com both have their own DNS records attached?

I think you’re onto something with that:

Note that the CA will always respect the CAA record closest to the domain name it is issuing a certificate for. So if you’re requesting a cert for “www.community.example.org”, the CA will check “www.community.example.org”, then “community.example.org”, then “example.org”, stopping at the first CAA record it finds.

Note also that CAA checking follows CNAME redirects, just like all other DNS requests. If “community.example.org” is a CNAME to “example.forum.com”, the CA will respect any CAA records that are set on “example.forum.com”. It is not allowed for a domain name with a CNAME record to have any other records, so there cannot be conflicts between CAA records on the original name and CAA records on the target of the redirect.
(stolen from Certificate Authority Authorization (CAA) - Let's Encrypt, a great source)

dig caa surveys.helpdesk.support.rydercragie.com

doesn’t have anything, but:

dig caa helpdesk.support.rydercragie.com
;; ANSWER SECTION:
helpdesk.support.rydercragie.com. 300 IN CNAME desk.cs.zohohost.eu.
desk.cs.zohohost.eu. 300 IN CAA 0 issue “letsencrypt.org

the subdomain below it does, from the CNAME.

I would try explicitly creating CAA records for all of the authorities Cloudflare uses on the same subdomain as the bucket (surveys.helpdesk.support), you can copy them from the Pages guide here: Debugging Pages · Cloudflare Pages docs
You shouldn’t need the wildcards, just the specific hostname ones.

surveys.helpdesk.support.rydercragie.com. 300 IN CAA 0 issue “comodoca.com
surveys.helpdesk.support.rydercragie.com. 300 IN CAA 0 issue “digicert.com
surveys.helpdesk.support.rydercragie.com. 300 IN CAA 0 issue “letsencrypt.org
surveys.helpdesk.support.rydercragie.com 300 IN CAA 0 issue “pki.goog”

Then delete the Custom Domain from the bucket and readd it, and see if that does the trick.

I was able to repro the same issue by setting Let’s Encrypt CAA only on the lower subdomain, and then it wasn’t able to issue it, and then setting the caa for digicert on the same level and readding it allowed it to issue it. Which makes sense, it’s how CAA records work.

1 Like

Still not working.

I’ll upgrade to the Pro plan soon to log a ticket. This is clearly a backend issue that I can’t fix (and arguably shouldn’t need to pay to fix, as it’s a free feature that is malfunctioning).