Redirect working inconsistently

What is the name of the domain?

claytonandcory com

What is the error message?

ERR_SSL_UNRECOGNIZED_NAME_ALERT

What is the issue you’re encountering

Redirect rule is not working consistently. Originally it worked in Safari, but not in FireFox, Chrome, or Edge. After a few days, redirect stopped working in Safari but is now working in FireFox - still failing in Chrome and Edge.

What are the steps to reproduce the issue?

I’m essentially trying to create a “tiny” URL using my domain, redirecting to a Google web calendar. (For testing and troubleshooting this is just doing to the general Google Calendar URL)

Root domain DNS did not previously point to anything, so I create a proxied A record for @ set to 192.0.2.1. Some browsers automatically add www. in front of a root domain, so I created a proxied CNAME record for www set to claytonandcory.com. I also created a proxied CNAME record for calendar set to claytonandcory.com.

I created a single redirect rule, with the following expression:

(http.request.full_uri wildcard r"http*://www.claytonandcory.com/google/web*") or (http.request.full_uri wildcard r"http*://calendar.claytonandcory.com/google/web*") or (http.request.full_uri wildcard r"http*://claytonandcory.com/google/web*")

URL redirect is set to
Type: static
URL: https://calendar.google.com/calendar/
Status code: 301
Preserve query string: unchecked

I assume this is an issue on the DNS side, I thought caching might be at play but it’s been a few days now. I assume the Cloudflare proxy DNS is supposed to handle serving a valid certificate so the browser will properly follow the redirect, but that does not appear to be working correctly based on the error I’m seeing.

This error appears when your browser fails to recognise an SSL certificate returned by the site, meaning the issue occurs before any redirect takes place. Your redirect rule is unrelated to the error you’re seeing.

From my end, your DNS records look fine, and both the TLS handshake and redirects function as expected:

% dig claytonandcory.com @1.1.1.1 +short
104.21.32.1
104.21.48.1
104.21.96.1
104.21.16.1
104.21.64.1
104.21.80.1
104.21.112.1

% dig www.claytonandcory.com @1.1.1.1 +short
104.21.112.1
104.21.64.1
104.21.96.1
104.21.32.1
104.21.48.1
104.21.80.1
104.21.16.1

% curl -svo /dev/null https://claytonandcory.com/google/web-test
* Host claytonandcory.com:443 was resolved.
* IPv6: (none)
* IPv4: 104.21.80.1, 104.21.48.1, 104.21.32.1, 104.21.16.1, 104.21.64.1, 104.21.96.1, 104.21.112.1
*   Trying 104.21.80.1:443...
* Connected to claytonandcory.com (104.21.80.1) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [323 bytes data]
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [19 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [2548 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=claytonandcory.com
*  start date: Dec 17 02:07:22 2024 GMT
*  expire date: Mar 17 03:05:54 2025 GMT
*  subjectAltName: host "claytonandcory.com" matched cert's "claytonandcory.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://claytonandcory.com/google/web-test
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: claytonandcory.com]
* [HTTP/2] [1] [:path: /google/web-test]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /google/web-test HTTP/2
> Host: claytonandcory.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 301 
< date: Fri, 07 Feb 2025 17:34:22 GMT
< content-type: text/html
< content-length: 167
< location: https://calendar.google.com/
< cache-control: max-age=3600
< expires: Fri, 07 Feb 2025 18:34:22 GMT
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wKM%2FyM91Fmfo94rWspjevuRf%2FuhJnDXNDZKtMABTw3feY5tZymHA8MFlo%2BB1wVh9jC%2FJj32CyNB7ey6YIr7PmJkmlEh3Q5ivPjQnhoSIMnsgr1bu4QndcGcChGDW8S64WN5mW9k%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 90e5215c5819edea-LHR
< 
{ [167 bytes data]
* Connection #0 to host claytonandcory.com left intact

% curl -svo /dev/null https://www.claytonandcory.com/google/web-test
* Host www.claytonandcory.com:443 was resolved.
* IPv6: (none)
* IPv4: 104.21.80.1, 104.21.16.1, 104.21.48.1, 104.21.112.1, 104.21.96.1, 104.21.32.1, 104.21.64.1
*   Trying 104.21.80.1:443...
* Connected to www.claytonandcory.com (104.21.80.1) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [327 bytes data]
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [19 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [2548 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=claytonandcory.com
*  start date: Dec 17 02:07:22 2024 GMT
*  expire date: Mar 17 03:05:54 2025 GMT
*  subjectAltName: host "www.claytonandcory.com" matched cert's "*.claytonandcory.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.claytonandcory.com/google/web-test
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.claytonandcory.com]
* [HTTP/2] [1] [:path: /google/web-test]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /google/web-test HTTP/2
> Host: www.claytonandcory.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 301 
< date: Fri, 07 Feb 2025 17:36:01 GMT
< content-type: text/html
< content-length: 167
< location: https://calendar.google.com/
< cache-control: max-age=3600
< expires: Fri, 07 Feb 2025 18:36:01 GMT
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fwj4U9wlIURa3LaCXNmIAFSYDVqCAaIa28V%2BZrNdwjRqwdN7rketEq3cZGKwzOCAZIyYkZoGRytmSu534udMrZ%2Bl4tFQ8eCj5e8c%2BHgDGlswzCAjWaa6ej9v2Ti3Whxp1Qwg%2Bp7hzk5X"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 90e523c98b9bbeae-LHR
< 
{ [167 bytes data]
* Connection #0 to host www.claytonandcory.com left intact

% curl -svo /dev/null https://calendar.claytonandcory.com/google/web-test
* Host calendar.claytonandcory.com:443 was resolved.
* IPv6: (none)
* IPv4: 104.21.80.1, 104.21.112.1, 104.21.96.1, 104.21.48.1, 104.21.16.1, 104.21.32.1, 104.21.64.1
*   Trying 104.21.80.1:443...
* Connected to calendar.claytonandcory.com (104.21.80.1) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [332 bytes data]
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [19 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [2548 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=claytonandcory.com
*  start date: Dec 17 02:07:22 2024 GMT
*  expire date: Mar 17 03:05:54 2025 GMT
*  subjectAltName: host "calendar.claytonandcory.com" matched cert's "*.claytonandcory.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://calendar.claytonandcory.com/google/web-test
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: calendar.claytonandcory.com]
* [HTTP/2] [1] [:path: /google/web-test]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /google/web-test HTTP/2
> Host: calendar.claytonandcory.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 301 
< date: Fri, 07 Feb 2025 17:36:16 GMT
< content-type: text/html
< content-length: 167
< location: https://calendar.google.com/
< cache-control: max-age=3600
< expires: Fri, 07 Feb 2025 18:36:16 GMT
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DUQ2DXpjg3Va0Iu7Wuu9erdZO4x5Yhld7LkpSALl%2BxHRE8%2Fx5EV23aMJefwxqDujJ52AIjm1wqSH0GqK16KS0lW6vX3qQvoZ3RUCv%2BLhbbjVH9R6G%2BR80bBkRRRcQ1KU%2F0mwYvS4QqcCnm9UvN4%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 90e52429bfedefdc-LHR
< 
{ [167 bytes data]
* Connection #0 to host calendar.claytonandcory.com left intact

As such, I believe the problem is likely to be local to your environment (browser, device or network). Hence, I would suggest to:

  1. Purge DNS cache
  2. Disable VPNs and proxies that might interfere with SSL verification.
  3. Test from a different network (e.g., mobile data) to see if it’s an ISP or local issue.
  4. Use Incognito mode and clear browser cache.

Thank you for the detailed response; I’m just an idiot. I have a split DNS for that domain in the location I was testing, and an always-on VPN with the same split DNS when outside that location. As soon as I got off that LAN and VPN it works perfectly.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.