namecheap DNS config does not work with https on Heroku custom domain

Question

I'm very confused with how to setup namecheap and heroku so they work together to serve custom domains over https.

I'm using heroku ssl beta, by the end of the configuration, heroku has updated its domain map like this:

myapp.com        myapp.com.herokudns.com
www.myapp.com    wwww.myapp.com.herokudns.com

The ssl certificate has been added to heroku successfully, I know it because I can access https://myapp.herokuapp.com with a green padlock.

The next step should be modifying namecheap DNS, I followed this tutorial

The entries I added are:

CNAME Record    www    myapp.herokuapp.com
URL Redirect    @      https://www.myapp.com

That should be it, but it doesn't work as I expected.

If I type myapp.com, it goes to https://www.myapp.com (so the redirect works), but without a padlock.

The same if I go to https://www.myapp.com directly.

I'm sure it's not because the change hasn't taken effect yet, because I have messed around with other domains and it already take effect after 5min or so.

Can someone please tell me what is the problem?

Checkout this answer here https://stackoverflow.com/a/58144352/5327882 — ronatory, Sep 28 '19 at 08:50

swang · Accepted Answer · 2016-06-03T22:41:53.253

I found out what's wrong, after uploading ssl certificate to heroku, I should stop using myapp.herokuapp.com, instead use myapp.com.herokudns.com, so in namecheap's DNS config, I should have the following:

CNAME Record    @        myapp.com.herokudns.com
CNAME Record    www      www.myapp.com.herokudns.com

I don't think the redirect is necessary (even in Namecheap's document it says you should not set CNAME on bare domain, but should redirect www instead). I tried to use URL redirect record www https://myapp.com to replace the www CNAME record but it won't work.

Besides, when I created the certificate with lets encrypt, I only certificated domain myapp.com, but forgot www.myapp.com, so when access www domain, the browser complains certificate is from myapp.com, once I expanded the certificate to cover www.myapp.com, with the above config, all domains works fine with a green padlock.

What I did for URL Redirect Record was set it up domain.com to www.domain.com — Esteban Morales, Jul 21 '18 at 21:44

score 2 · Answer 2 · answered Oct 05 '16 at 20:24

Your solution (using CNAME for @) in Namecheap works for https fwding to amazon ELB instances too. My domain is served by Namecheap. Their recommendation (incorrect as you pointed out) was to URL fwd https traffic for my domain (x.com) to my amazon elb instance (which has my ssl cert for x.com). URL fwding gets a conn refused error from NameCheap's servers.

Using a CNAME for @ displays a nice green secure seal for https URLs. I also added a CNAME www to the same amazon elb instance for non-https traffic.

score 1 · Answer 3 · answered Jun 03 '16 at 15:14

1

You redirect to https://www.myapp.com. The browser expects a certificate for www.myapp.com there but according to your description there is only a certificate for myapp.herokuapp.com. Because the hostname in the URL does not match the subject of the certificate the browser complains about the bad certificate.

answered Jun 03 '16 at 15:14

Steffen Ullrich

114,247
10
131
172

that makes sense, so in this case I can not have a URL redirect record? – swang Jun 03 '16 at 15:23
@swang: you could redirect to `https://myapp.herokuapp.com`, i.e. the host which has a valid certificate. Then the URL would match the certificate. – Steffen Ullrich Jun 03 '16 at 15:36
actually, if redirect is the problem, why `www.myapp.com` doesn't work either? shouldn't that be just routed by CNAME record? Besides, the certificate I have is from letsencrypt and it's certificating myapp.com not myapp.herokuapp.com. – swang Jun 03 '16 at 15:42
@swang: redirect is HTTP, CNAME is DNS. Redirect changes URL, CNAME does not. For the certificate validation the hostname in the URL is relevant. – Steffen Ullrich Jun 03 '16 at 15:53
I get that, that's my point, for example now I have deleted the URL redirect record, my namecheap dns only has one CNAME record on www, when I type `https://myapp.com` it can no longer find the page, but when I type `https://www.myapp.com` there is still no padlock – swang Jun 03 '16 at 15:59
@swang: when you type `https://www.myapp.com` it expects the certificate to be for `www.myapp.com` but there is no such certificate. The CNAME does not change the URL, it is only used to find the target IP address for the connection. – Steffen Ullrich Jun 03 '16 at 16:13
I see, but if I change the CNAME record to @, which means `https://myapp.com` will go through, but safari says the certificate is for myapp.herokuapp.com, however, my lets encrypt certificate is definitely issued for myapp.com, why is that? – swang Jun 03 '16 at 16:26
@swang: obviously the server is not serving your certificate. I have no idea how exactly you setup your certificate at the server, what kind of messages you got and if there were any error messages. I can not look at the heroku configuration for your site and I can not even find out the public visible configuration since the URL is unknown for me. – Steffen Ullrich Jun 03 '16 at 17:48

namecheap DNS config does not work with https on Heroku custom domain

3 Answers3