Unsuccessful in using Automated Certificate Management for domains hosted on Google Domains

问题

I've followed Heroku's Automated Certificate Management instructions for generating an SSL certificate via LetsEncrypt (kudos to LetsEncrypt and heroku!!) for my Ruby Sinatra app but generation of the SSL certificate for my custom domain is failing.

After activating automated certificate management, the heroku domain name for my app changes from *.herokuapp.com to *.herokudns.com, as expected.

I've updated my Google Domain records accordingly, however Google Domain doesn't allow the domain root to be specified as a CNAME record. Instead the root needs to be pointed at http(s)://www.mycustomdomain.com via subdomain forwarding, i.e.

mycustomdomain.com --> http://www.mycustomedomain.com

When heroku's certificate generation process runs, it expects BOTH www.mycustomdomain.com and mycustomdomain.com to be verified. It seems that the fact that the domain root is pointed to the www address via subdomain forwarding is preventing the domain root from validating.

I'm GUESSING that this is causing generation of the custom domain SSL certificate to fail?

Before I check with heroku, I'm reaching out to the stackoverflow community incase anyone's encountered this and solved it?

Custom domain setup on heroku

user@machine1:~/projects/mycustomdomain$ heroku domains
=== mycustomdomain Heroku Domain
mycustomdomain.herokuapp.com

=== mycustomdomain Custom Domains
Domain Name       DNS Target
────────────────  ──────────────────────────────
mycustomdomain.com      mycustomdomain.com.herokudns.com
www.mycustomdomain.com  www.mycustomdomain.com.herokudns.com 

Google Domain config

Subdomain forward

mycustomdomain.com --> http://www.mycustomdomain.com

*.mycustomdomain.com --> http://www.mycustomdomain.com

Custom resource records

<table style="border:1px solid black; border-collpase">
  <tr>
    <th>NAME</th>
    <th>TYPE</th>
    <th>TTL</th>
    <th>DATA</th>
  </tr>
  <tr>
    <td>www</td>
    <td>CNAME</td>
    <td>1h</td>
    <td>www.mycustomdomain.com.herokudns.com</td>
  </tr>
</table>

---

As a belated update, I have since found the following link, which I have used successfully to configure my app hosted on Google Domains, to use Let's Encrypt SSL: https://medium.com/@connorleech/https-ssl-on-heroku-with-google-domains-as-dns-provider-c55c438556c6

(I provide the link rather than restating the information here, as it is quite a lot of information)

回答1:

Heroku have confirmed that:

To use apex domains, we recommend switching to a DNS provider that support CNAME-like functionality for apex domains, such as Cloudflare, and then re-enabling ACM.

This is documented on their site here: https://devcenter.heroku.com/articles/custom-domains#configuring-dns-for-root-domains

来源：https://stackoverflow.com/questions/43026271/unsuccessful-in-using-automated-certificate-management-for-domains-hosted-on-goo