Project

General

Profile

Actions

Support #11493

open

Domain Mapping Request - Talia Schaffer

Added by scott voth almost 5 years ago. Updated over 4 years ago.

Status:
Reporter Feedback
Priority name:
Normal
Assignee:
Category name:
Domain Mapping
Target version:
Start date:
2019-05-26
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

Please map taliaschaffer.com to taliaschaffer.commons.gc.cuny.edu

I believe she has made the changes on her side.


Files

image001.jpg (353 KB) image001.jpg scott voth, 2019-06-03 08:38 AM
Screen Shot 2019-06-04 at 1.03.40 PM.png (94.4 KB) Screen Shot 2019-06-04 at 1.03.40 PM.png Matt Gold, 2019-06-04 01:04 PM
Actions #1

Updated by scott voth almost 5 years ago

  • Category name set to Domain Mapping
Actions #2

Updated by Boone Gorges almost 5 years ago

  • Status changed from New to Reporter Feedback

Hi Scott - I'm not seeing the proper DNS on my end: https://www.misk.com/tools/#dns/taliaschaffer.com Could you reconfirm with the user?

Actions #3

Updated by Boone Gorges almost 5 years ago

  • Target version set to Not tracked
Actions #4

Updated by scott voth almost 5 years ago

Sent her a note but haven't heard back yet.

Actions #5

Updated by scott voth almost 5 years ago

Talia has the "www" CNAME record pointed to the Commons, but when she tries to enter the bare domain name, she gets the error message: "taliaschaffer.com. already has a SOA record. You may not mix CNAME records with other records for the same name."

Maybe she could change the A Record?

Actions #6

Updated by Boone Gorges almost 5 years ago

Ah, thanks, Scott. Yes, she'll need to create an A record. This is the new policy from IT, who needs bare domains pointing to the Commons for the purposes of SSL support. See https://redmine.gc.cuny.edu/issues/11190#note-12 and follow-up comments. So I believe the required setup is:

1. A record pointing to 146.96.128.200
2. www should be a redirect to the bare domain

Actions #7

Updated by scott voth almost 5 years ago

Hi Boone - Talia has made the changes. Can you check them out?

Actions #8

Updated by Boone Gorges almost 5 years ago

  • Assignee set to Matt Gold

taliaschaffer.com looks good to me. Matt, can you please pass the request to IT?

Actions #9

Updated by Matt Gold almost 5 years ago

request sent

Actions #10

Updated by Boone Gorges almost 5 years ago

The mapping is complete: https://taliaschaffer.com/

The www redirect doesn't appear to be set up properly; I don't see any DNS records for it. See https://stackoverflow.com/questions/7354211/redirect-a-subdomain-to-a-specific-url-using-dns#comment30519856_7354236

Actions #11

Updated by scott voth almost 5 years ago

Talia seems to have the www redirect set correctly - see screenshot. But www.taliaschaffer.com is still not resolving correctly.

Actions #12

Updated by Boone Gorges almost 5 years ago

The UI in the screenshot you've shared is pretty confusing - I don't understand why they don't have a more straightforward "redirect such-and-such a subdomain to a specific URL" interface. Can you tell me the name of the registrar, to see if I can find any information in their help documentation?

Actions #13

Updated by scott voth almost 5 years ago

Her provider is SiteGround, which uses cPanel.

Actions #14

Updated by Boone Gorges almost 5 years ago

I can't find any information specific to SiteGround, but here's a tutorial on setting up redirection in cPanel. You'd need a www subdomain first, then configure it to redirect as shown. https://www.jetserver.net/cpanel-redirect-subdomain Does this match what Talia sees?

Actions #15

Updated by scott voth almost 5 years ago

Hi Boone - Talia contacted her provider. I am not sure what they did (I have asked her to provide details), but now the bare domain is not working. Here is their response:
SiteGround tech support says:

The domain taliaschaffer.com is not resolving to your SiteGround account:

Code:

taliaschaffer.com.

14400 IN

A 146.96.128.200

Code:

Stefan-Stefanov:~ stefanstefanov$ host 146.96.128.200

200.128.96.146.in-addr.arpa domain name pointer commons.gc.cuny.edu.

In that sense, you should install the SSL certificate at the control panel at the remote host at 146.96.128.200

Actions #16

Updated by Boone Gorges almost 5 years ago

The bare domain is working for me, and https://www.misk.com/tools/#dns/taliaschaffer.com shows that the A record continues to point to the Commons IP address. If they made a change, it hasn't propagated to me yet.

I don't think the SiteGround representative understands what's being requested. For one thing, he indicates "the domain ... is not resolving to your SiteGroupnd account". But this is exactly the point: she's using their DNS but is not hosting the site there. For another, the request was not for them to provide an SSL certificate; instead, all we want is for www.taliaschaffer.com to redirect or forward to taliaschaffer.com. Under normal circumstances (ie not on the Commons) we would simply create a CNAME record pointing to commons.gc.cuny.edu, but this won't work in this case because IT does not want to manage two separate certificates (for the bare domain + www) for a given domain.

Actions #17

Updated by scott voth almost 5 years ago

I cleared my cache and now it is working for me too. Sorry about that. False alarm. I will let you know when Talia responds.

Actions #18

Updated by Matt Gold almost 5 years ago

FYI, taliashaffer.com worked for me. www.taliaschaffer.com DID NOT redirect to the taliaschaffer.com, and as a result, I saw the attached security warning . after clicking through I got to the www site without SSL protection

Actions #19

Updated by Boone Gorges almost 5 years ago

Matt Gold wrote:

FYI, taliashaffer.com worked for me. www.taliaschaffer.com DID NOT redirect to the taliaschaffer.com, and as a result, I saw the attached security warning . after clicking through I got to the www site without SSL protection

This is what we're trying to fix. www.taliaschaffer.com is pointing to the Commons IP address, but the Commons does not have an SSL certificate for it - it's been Lihua's policy to grant only a single certificate per domain, not for the www. subdomain. This is why we're asking the user to set up a registrar-level redirect to https://taliaschaffer.com, so that no second certificate is required.

Actions #20

Updated by Matt Gold almost 5 years ago

aha. thanks and sorry for my confusion.

Actions #21

Updated by scott voth almost 5 years ago

Talia is still trying to get this to work:

OK, I spent nearly an hour chatting to SiteGround tech support and I have been doing some reading on my own.

It looks like, in order to redirect https://www.taliaschaffer.com to https://taliaschaffer.com, I need to install an SSL certificate at SiteGround, because the redirection requires the execution of code on their servers. But I cannot install a certificate for this domain at SiteGround when the A Record points to commons.gc.cuny.edu.

So now there appear to be two options:

(1) The Grad Center obtains a certificate that encompasses www.taliaschaffer.com and not just the bare domain. My husband, for his own site, uses Let’s Encrypt, which issues for multiple domains or wildcards within a single domain name.

(2) I will need to migrate my site to SiteGround.

What do you think?

thanks, Talia

The original problem with the CNAME record was because taliaschaffer.com has an SOA record. Could we get rid of the SOA record, and use CNAME?

Or could there be an exception to IT's policy about the SSL certificate?

This seems to be a never ending ticket...

Actions #22

Updated by Boone Gorges almost 5 years ago

I've sent a message to IT to figure out the best way forward for Talia and for other users with a similar setup.

Actions #23

Updated by scott voth over 4 years ago

Just to summarize this ticket, Talia's registrar (Siteground) uses cPanel, and it does not allow forwarding or redirection of www subdomains.

So https://taliaschaffer.com/ works fine, but https://www.taliaschaffer.com throws a SSL warning, since IT only supports SSL certificates for the bare domain.

Talia is asking for an update on this issue. She does not like the idea of switching to a different registrar. But that seems the only option other than hosting her own site.

What should we say to members who have this issue? Is it possible to get IT to bend their policy?

Actions #24

Updated by Boone Gorges over 4 years ago

I had an exchange with Lihua about this shortly after the last update, but I can't seem to find it - I must have accidentally deleted the message. Ray or Matt, if you were CCed on it, would you please forward it to me?

The gist of the message, from what I recall, is that IT is not eager to bend the policy, in part because they are not officially in the business of hosting "external" sites ("external" in the sense that these are not cuny.edu properties). Users in this situation who are not able to set up redirects at the registrar level have several options:

1. Don't use the www. subdomain at all. If users try to visit https://foo.taliaschaffer.com/ or some other arbitrary subdomain, it won't work; www is a "special" subdomain by convention but not from a technical point of view. So, when sharing the URL with others, be sure not to include the www. prefix.
2. Purchase a webhosting plan (perhaps with the registrar, in this case, since SiteGround is also a host), set up an SSL certificate for www.* (free with LetsEncrypt, and likely free or very cheap through SiteGround for an easier option), then place a small application in the webhosting directory that does nothing but redirect to the non-www version. Something like a file called index.php that contains the following:

<?php 
header( 'Location: https://taliaschaffer.com' );
die();
?>

This, essentially, is a homemade version of the "URL redirect" service that many registrars provide.

Actions #25

Updated by scott voth over 4 years ago

Hi Boone - It doesn't seem option # 2 will work in this case. See below:

Hi Scott,

Hmm, I started to do this and then realized we’d already tried it. In order to redirect https://www.taliaschaffer.com, I will need to get a certificate for this domain, because the code has to be executed at SiteGround to effect the redirect; the whole point of SSL is that the redirect can’t be handled by the DNS. But CUNY has already obtained a certificate for taliaschaffer.com, and I can’t get a certificate solely for www.taliaschaffer.com.

I understand that IT wants to discourage mapping to external sites, but given that we’ve tried every single other way to do this, and it has taken months of work – and given that it would be extremely easy for them to create the SSL certificate and fix the whole thing – please, can you ask them to do it in this case? Tell IT that we really have tried, but there just seems to be no way. And now that the semester is about to begin, I need to have my website operational. Maybe it’s important to serve CUNY people, not just CUNY sites?

thanks, Talia

Actions

Also available in: Atom PDF