Trying to add MTA-STS, but the addition of mta-sts on one of the subdomains means SSL broken for it so MTA-STS fails.
What steps have you taken to resolve the issue?
Nothing. Can’t really afford to be paying 10 a month to get SSL cert coverage and certainly can’t afford the business plan as not something I need or can afford.
So the option to upload my own purchased certificate is out as I have to be on a business plan for that and it seems Cloudflare dont sell indidividual certificates and I have to go the subscription route. As its really just used for DNS settings there is no end server to instrall a cert on.
Was the site working with SSL prior to adding it to Cloudflare?
No
What is the current SSL/TLS setting?
Flexible
What are the steps to reproduce the issue?
Add DNS records for MTS-STS, create worker to use with it and apply to domain - then get SSL error as gone over domain levels.
Any ideas, or am I just going to have to leave the SimpleLogin side without MTS-STS?
You might be able to use a Worker with a Custom Domain. That should issue the cert for you, then all you’d need is a Worker like this that returns the plain text for .well-known/mta-sts.txt:
And change content-type to be text/plain;charset=UTF-8
I have done all that, however the resulting URL for the MTA-STS lookup is https://mta-sts.id.wjhome.uk which goes over what the free SSL covers hence the SSL failure.
The location pointing to the worker in the DNS settings ends up at slogin.wheeljack-cloudflare.workers.dev, which is also over (although I dont know about SSL cover on the workers side of things).
I’ve taken it all down for now, leaving the MTA-STS setup on the main domain as that has no issues. Wishing I hadn’t set it up this way but this was done before moving to Cloudflare. I would have MANY email changes to do, and it was painful enough the first and second time I changed things. (email aliases).
I suspect you did something wrong, because if you set up a Custom Domain in Workers, it won’t be using your Universal SSL. It uses SSL for SaaS (Custom Hostnames) for Workers.dev.
I just set it up on a no-plan free test account, and it issued its own Advanced Certificate. And to be perfectly clear, this test account does not have a subscription to ACM. Nothing paid for at all in that account.
Set it all up again, and as you state, the script works fine with the worker URL but it doesnt seem to like the mta-sts.id CNAME pointing to it, as I still have the SSL issue.
The worker is fine. It does what it is meant to do. If there is something wrong, it may be the routing. As for the DNS entries, I’ve done the same thing across other domains with the exact same setup with no issues. This is the only one that adds an extra (sub) domain to things.
What should I be doing then? I have a worker there which is presenting what it needs to present, so how do I now incorporate it? I created the worker then added a route, then do the CNAME.
I assume I’m doing the route right as it works for the others I’ve done (4 in total) but where I am going wrong? I realize this is probably frustrating for you but this is my first time dealing with this so please be gentle with me.
Ok…when you use a Custom Domain for a Worker, you don’t create a DNS record and a route. That’s the manual way to route traffic to a Worker, and is only necessary if you need to specify the path(s) that route to that Worker.
A Custom Domain means that Workers creates the DNS record for you, and then deploys its own certificate for it.
To step back a bit, please delete that CNAME record for mta-sts.id.
Also, delete the Worker Route for mta-sts.id…etc
Go into your Worker, and use the Settings Menu to + add a Custom Domain:
So instead of using the workers.dev side of things, I am creating the full QDN for the mta-sts?
Jeez, can’t believe I didn’t see the custom domain thing in worker settings.
