namecheap DNS config does not work with https on Heroku custom domain

Asked 3/6, 2016 at 14:41 Answered 5/10, 2016 at 20:24

I'm very confused with how to setup namecheap and heroku so they work together to serve custom domains over https.

I'm using heroku ssl beta, by the end of the configuration, heroku has updated its domain map like this:

myapp.com        myapp.com.herokudns.com
www.myapp.com    wwww.myapp.com.herokudns.com

The ssl certificate has been added to heroku successfully, I know it because I can access https://myapp.herokuapp.com with a green padlock.

The next step should be modifying namecheap DNS, I followed this tutorial

The entries I added are:

CNAME Record    www    myapp.herokuapp.com
URL Redirect    @      https://www.myapp.com

That should be it, but it doesn't work as I expected.

If I type myapp.com, it goes to https://www.myapp.com (so the redirect works), but without a padlock.

The same if I go to https://www.myapp.com directly.

I'm sure it's not because the change hasn't taken effect yet, because I have messed around with other domains and it already take effect after 5min or so.

Can someone please tell me what is the problem?

Uneducated answered 3/6, 2016 at 14:41 Comment(2)

whoever down voted care to explain why? – Uneducated 25/7, 2016 at 16:40

Checkout this answer here https://mcmap.net/q/334985/-force-my-heroku-app-to-use-ssl-https – Premillenarian 28/9, 2019 at 8:50

I found out what's wrong, after uploading ssl certificate to heroku, I should stop using myapp.herokuapp.com, instead use myapp.com.herokudns.com, so in namecheap's DNS config, I should have the following:

CNAME Record    @        myapp.com.herokudns.com
CNAME Record    www      www.myapp.com.herokudns.com

I don't think the redirect is necessary (even in Namecheap's document it says you should not set CNAME on bare domain, but should redirect www instead). I tried to use URL redirect record www https://myapp.com to replace the www CNAME record but it won't work.

Besides, when I created the certificate with lets encrypt, I only certificated domain myapp.com, but forgot www.myapp.com, so when access www domain, the browser complains certificate is from myapp.com, once I expanded the certificate to cover www.myapp.com, with the above config, all domains works fine with a green padlock.

Uneducated answered 3/6, 2016 at 18:13 Comment(1)

What I did for URL Redirect Record was set it up domain.com to www.domain.com – Gage 21/7, 2018 at 21:44

Your solution (using CNAME for @) in Namecheap works for https fwding to amazon ELB instances too. My domain is served by Namecheap. Their recommendation (incorrect as you pointed out) was to URL fwd https traffic for my domain (x.com) to my amazon elb instance (which has my ssl cert for x.com). URL fwding gets a conn refused error from NameCheap's servers.

Using a CNAME for @ displays a nice green secure seal for https URLs. I also added a CNAME www to the same amazon elb instance for non-https traffic.

Brochette answered 5/10, 2016 at 20:24 Comment(0)

You redirect to https://www.myapp.com. The browser expects a certificate for www.myapp.com there but according to your description there is only a certificate for myapp.herokuapp.com. Because the hostname in the URL does not match the subject of the certificate the browser complains about the bad certificate.

Ecclesiastes answered 3/6, 2016 at 15:14 Comment(8)

that makes sense, so in this case I can not have a URL redirect record? – Uneducated 3/6, 2016 at 15:23

@swang: you could redirect to https://myapp.herokuapp.com, i.e. the host which has a valid certificate. Then the URL would match the certificate. – Ecclesiastes 3/6, 2016 at 15:36

actually, if redirect is the problem, why www.myapp.com doesn't work either? shouldn't that be just routed by CNAME record? Besides, the certificate I have is from letsencrypt and it's certificating myapp.com not myapp.herokuapp.com. – Uneducated 3/6, 2016 at 15:42

@swang: redirect is HTTP, CNAME is DNS. Redirect changes URL, CNAME does not. For the certificate validation the hostname in the URL is relevant. – Ecclesiastes 3/6, 2016 at 15:53

I get that, that's my point, for example now I have deleted the URL redirect record, my namecheap dns only has one CNAME record on www, when I type https://myapp.com it can no longer find the page, but when I type https://www.myapp.com there is still no padlock – Uneducated 3/6, 2016 at 15:59

@swang: when you type https://www.myapp.com it expects the certificate to be for www.myapp.com but there is no such certificate. The CNAME does not change the URL, it is only used to find the target IP address for the connection. – Ecclesiastes 3/6, 2016 at 16:13

I see, but if I change the CNAME record to @, which means https://myapp.com will go through, but safari says the certificate is for myapp.herokuapp.com, however, my lets encrypt certificate is definitely issued for myapp.com, why is that? – Uneducated 3/6, 2016 at 16:26

@swang: obviously the server is not serving your certificate. I have no idea how exactly you setup your certificate at the server, what kind of messages you got and if there were any error messages. I can not look at the heroku configuration for your site and I can not even find out the public visible configuration since the URL is unknown for me. – Ecclesiastes 3/6, 2016 at 17:48

Recommended topics

Hot tags