Still having issues with custom domain in Pages
Came here from Cloudflare Community. Have tried the documentation in troubleshooting. Attached the screenshot for the result of command. Domain is stutastic.pages.dev. Already have one domain active but wishes to have other domain pointing to their respective branch. Troubleshooting domain is v1.stutastic.danplace.tech and v3.stutastic.danplace.tech
6 Replies
You have CAA records on
stutastic.danplace.tech because it's a CNAME to github.io. CAA records are looked for recursively, and follow CNAMES, ex:
dig stutastic.danplace.tech caaCloudflare picks between using Let's Encrypt or GTS/Google, it looks like for the dev subdomain you just got lucky and it picked LE, but for the others its trying GTS and failing.
If v1/v3 are proxied, you can create CAA records on the same label, you need these ones:
https://developers.cloudflare.com/pages/platform/debugging-pages/#missing-caa-records
Most importantly, pki.google and letsencrypt.org. Set those, wait a bit, and readd the custom domain
Debugging Pages · Cloudflare Pages docs
When setting up your Pages project, you may encounter various errors that prevent you from successfully deploying your site. This guide gives an …
Source on CAA records behavior if you're curious:
Note that the CA will always respect the CAA record closest to the domain name it is issuing a certificate for. So if you’re requesting a cert for “www.community.example.org”, the CA will check “www.community.example.org”, then “community.example.org”, then “example.org”, stopping at the first CAA record it finds. This means that you can override CAA for subdomains. For example, suppose that you host “example.org” yourself, but have “api.example.org” on a cloud provider. You could use a CAA record on “example.org” to say that only Let’s Encrypt can issue for that domain and all of its subdomains, but also use a CAA record on “api.example.org” to override that and allow the cloud provider to issue certificates for that one subdomain. Note also that CAA checking follows CNAME redirects, just like all other DNS requests. If “community.example.org” is a CNAME to “example.forum.com”, the CA will respect any CAA records that are set on “example.forum.com”. It is not allowed for a domain name with a CNAME record to have any other records, so there cannot be conflicts between CAA records on the original name and CAA records on the target of the redirect.https://letsencrypt.org/docs/caa/
Certificate Authority Authorization (CAA)
CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. It was first standardized in 2013, and the version we use today was standardized in 2019 by RFC 8659 and RFC 8657. By default, every public CA is allowed to issue certificates for any...
How do I create the CAA records, do I have to do it on the
stutastic.danplace.tech domain or I could just set it on v1.stutastic.danplace.tech domain. Sorry for asking because I really don't understand the technical behind this. I'll be sure to check and search the internet first.I have fixed the issue by following this page https://developers.cloudflare.com/ssl/edge-certificates/caa-records/. Thanks 🙂 Btw, another question. The reason I used many domain is to assign to different branches. How do I link them? Do they link automatic?
Add CAA records · Cloudflare SSL/TLS docs
A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. …
Also fixed by this page https://developers.cloudflare.com/pages/how-to/custom-branch-aliases/. Thanks 🙂
Add a custom domain to a branch · Cloudflare Pages docs
In this guide, you will learn how to add a custom domain (staging.example.com) that will point to a specific branch (staging) on your Pages project.