This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

SSL for subdomain A Record pointed to Google Cloud VM

Posted on 02-05-2024 02:25 PM
auburnham
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,
I have a domain managed by a hosting service, and a subdomain A Record in the hosting service cPanel Zone Editor pointed to the IP address of my Google Cloud VM.  I can access my Google Cloud VM service using the subdomain, but only without SSL. 

  • Is it possible to enable SSL with this configuration? 
  • If so, what would be the steps for completing this?
  • If not, is there something I can change in this setup to allow SSL?

Example to illustrate the question:

  • Subdomain: sub.example.com
  • Google Cloud VM IP: 1.2.3.4
  • Hosting service cPanel Zone Editor entry: Name = "sub.example.com.", Type = "A", Record = "1.2.3.4"
  • http://sub.example.com access is successful
  • https://sub.example.com access is unsuccessful

Additional details:

I'm currently using a FreeDNS subdomain from freedns.afraid.org to point to my Google Cloud VM IP, and SSL/https access works with that subdomain. Do I need to disable that afraid.org subdomain for my hosting service subdomain SSL to work correctly? 

For example, when I try to access my hosting service subdomain with SSL/https (e.g. https://sub.example.com in the scenario above), I get NET::ERR_CERT_COMMON_NAME_INVALID with a reference to the security cert from the afraid.org subdomain, even though I didn't type the afraid.org subdomain address, and the address should be pointing to the Google Cloud VM (i.e. afraid.org shouldn't be involved).

I appreciate any help that can be provided.

Solved Solved
1 4 669
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
auburnham
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I finally found a solution for my situation, so I'm updating it here in case it benefits others, and for my future reference.

Using the built-in SSH shell connection to my Google VM, I used the following commands:

  • sudo certbot --nginx -d "SUB.EXAMPLE.COM" --redirect --agree-tos --no-eff-email
  • sudo certbot renew --dry-run
  • sudo service nginx restart (Note: not sure this step is necessary)
  • sudo certbot certificates (Note: lists certificates, step for information only)

I also removed the previous freedns.afraid.org certificate using the following steps, although I'm not sure that was necessary:

  • terminal command: sudo certbot delete (Note: Follow the interactive menu to delete the correct certificate)
  • terminal command: sudo nano /etc/nginx/sites-enabled/default
  • deleted "server {...}" section for old certificate & saved file
  • Repeated nginx restart & certbot renew --dry-run commands (again, not sure this was necessary)

So far, everything is working as I had hoped.

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @auburnham ,

The issue you're encountering is due to the SSL certificate being issued for the subdomain from freedns.afraid.org, not your hosting service subdomain. When you try to access your hosting service subdomain with SSL/https, the browser is trying to validate the SSL certificate, which is associated with the afraid.org subdomain. Since the SSL certificate is not valid for your hosting service subdomain, you're getting the NET::ERR_CERT_COMMON_NAME_INVALID error.

For your specific scenario, you should consider obtaining an SSL certificate from a Certificate Authority (CA) for your subdomain (e.g. sub.example.com) and install it on your Google Cloud VM. You may also use Google-managed certificates.

@auburnham wrote:

I'm currently using a FreeDNS subdomain from freedns.afraid.org to point to my Google Cloud VM IP, and SSL/https access works with that subdomain. Do I need to disable that afraid.org subdomain for my hosting service subdomain SSL to work correctly? 

Regarding your additional question, you don't necessarily need to disable your FreeDNS subdomain from afraid.org for your hosting service subdomain SSL to work correctly. However, since your hosting service subdomain and your FreeDNS subdomain both point to the same IP address, you should ensure that your SSL certificate is configured for your hosting service subdomain (e.g. sub.example.com) and not your FreeDNS subdomain (e.g. something.freedns.afraid.org). This is because the SSL certificate must match the domain name used to access the website.

Let me know if this helps.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
auburnham
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi @Marvin_Lucero ,

I really appreciate your help & feedback with my issue.  I had tried creating a Google-managed certificate for my sub.example.com subdomain prior to my post, but it resulted in a permanent 'FAILED_NOT_VISIBLE' status.  After your reply, I did more searching on that Certificate status result, and another helpful post of yours pointed to some reasons for that status, one of which might have been the subdomain A record was too new and had not sufficiently propagated when I tried creating the Google-managed certificate, which was a likely situation.

Therefore, I tried recreating the sub.example.com subdomain Google-managed certificate again using the Google Cloud console Certificate Manager after reading your reply & related post.  However, it has been nearly a week and while the certificate status still says "Provisioning", below that the domain status still says 'FAILED_NOT_VISIBLE'.  

Since the A record for this subdomain was created months ago, there should have been enough time for DNS record propagation to occur, so I'm not sure why I'm still getting this failure.

I'd greatly appreciate any other troubleshooting steps you can suggest that might help me find the problem.

Thanks & regards.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
auburnham
Bronze 1
Bronze 1
In response to auburnham
Reply posted on --/--/---- --:-- AM

Hello community,
Just checking in to see if there were any other suggestions, or other support resources I could look into to resolve this problem.  The status is unchanged since my last post 2 weeks ago. The certificate status is "Provisioning" and the domain status is "FAILED_NOT_VISIBLE". I also checked to make sure the DNS A-record indeed points to the Google Cloud VM Instance External IP address.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
auburnham
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I finally found a solution for my situation, so I'm updating it here in case it benefits others, and for my future reference.

Using the built-in SSH shell connection to my Google VM, I used the following commands:

  • sudo certbot --nginx -d "SUB.EXAMPLE.COM" --redirect --agree-tos --no-eff-email
  • sudo certbot renew --dry-run
  • sudo service nginx restart (Note: not sure this step is necessary)
  • sudo certbot certificates (Note: lists certificates, step for information only)

I also removed the previous freedns.afraid.org certificate using the following steps, although I'm not sure that was necessary:

  • terminal command: sudo certbot delete (Note: Follow the interactive menu to delete the correct certificate)
  • terminal command: sudo nano /etc/nginx/sites-enabled/default
  • deleted "server {...}" section for old certificate & saved file
  • Repeated nginx restart & certbot renew --dry-run commands (again, not sure this was necessary)

So far, everything is working as I had hoped.

Jump to Solution
0 Likes