0

I have a .ai domain and I'm using Google Cloud DNS as the domain name servers. I'm also registered with G-Suite. My domain services work (e.g. www.example.com, mail.example.com), and the redirect works as well - but not with SSL.

From G-Suite admin -> domain section, I have setup root domain redirection: "Primary Domain" / "You can change your primary domain by switching it with an active secondary domain."

"Redirect the naked domain http://example.ai to http://www.example.ai"

Then I followed the "Changing the A-record for your domain" - I added the A-record (4 destination IPs) to my domain via Google Cloud DNS.

The direction http://example.ai to http://www.example.ai works correctly, but https://example.ai fails to connect.

I guess this makes sense because in order for this to work Google would need my SSL certificate. Any ideas if this is solvable? Note: I need this regardless of "Google App Engine".

Joel Coel
  • 12,932
  • 14
  • 62
  • 100
orcaman
  • 117
  • 2
  • Can you specify to which provider your domain names are pointing to? Is it Google services or a third party? – Alex Mar 31 '17 at 20:10
  • Further to the above, can you also link to which docs you followed? The setup for the SSL cert is different depending on where your domains point to (eg. an App Engine app, a Google Sites site through GSuite, or a third party web host). Google only needs your cert if you're pointing to a service actually hosted by Google. – Adam Apr 02 '17 at 19:30
  • @Alex I have an A record over my root domain setup according to the G-Suite instructions. Those are IPs that allow G-Suite to manage the domain. For this reason I have a redirect rule on G-Suite to redirect the naked (root) domain to www.mydomain.com. I have a CName for www.domain.com pointing to Amazon S3. – orcaman Apr 05 '17 at 08:31
  • @Adam Please see my answer to Alex. Regarding docs: https://support.google.com/a/answer/2518373?hl=en – orcaman Apr 05 '17 at 08:32
  • Asked again here: https://serverfault.com/questions/896378/naked-domain-on-google-sites-new – Chris Aug 13 '19 at 18:20

1 Answers1

1

The naked domain redirect docs apply only to Google Sites hosted websites:

If you build a Google Site and map it to a custom address such as www.yourdomain.com...

It only works if your www record is already pointing to ghs.googlehosted.com which in your case, it isn't.

If your www record points to a site on Amazon S3, then you'd want to follow the documentation at Root Domain Support on Amazon S3 Hosted Websites. Since you're using Google for DNS only, you can treat it as any other DNS provider for configuration purposes without needing to give Google your TLS certificate.

Edit: Amazon does not provide A / AAAA records for root domain redirection, and instead requires you to use their own Route53 DNS service for this. Google's redirect is only intended to work with Google hosted services (because Google will have the TLS cert), otherwise you end up uploading your cert to multiple hosts if it works at all.

Glorfindel
  • 1,213
  • 4
  • 15
  • 22
Adam
  • 868
  • 5
  • 12
  • Hi Adam, there are a few issues with your answer. First: my naked domain redirection already works! This is because Google Cloud DNS manages my DNS settings. It can perform the redirect from example.com to www.example.com *regardless of where the site is hosted*, which is why it works. The issue is that it doesn't work with SSL only. So I don't think this is related. Second: the docs you linked to on AWS request to switch the DNS provider to AWS Route53 (so that in face I won't be using Google DNS anymore), which I rather avoid. – orcaman Apr 09 '17 at 07:30
  • Just took a look at the Amazon docs and did some research elsewhere - it seems Amazon does force you to use Route53 to use its root domain redirection. This means at best, you need to upload your cert to two different hosts. If [uploading the cert in the Cloud Console](https://cloud.google.com/appengine/docs/standard/python/console/using-custom-domains-and-ssl) does not work, your only supported option may be to use Amazon's DNS services. – Adam Apr 10 '17 at 18:34