CNAMEs and HTTPS certificates

[ojongerius]

api-stage works, but https fails: https://api-stage.freecodecamp.org/stage/api

api-stage.freecodecamp.org uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH```

[raisedadead]

I think there a couple issues here.

1. We need to toggle the traffic to directly reach the endpoint without passing though it. This is because the SSL Cert is shared among our other entities.

   The fix in that case is simply, toggle the orange cloud thing besides the entry for the CNAME

2. Double check CNAME flattening, but I think that needs to be investigated after 1. is taken care off.

[Bouncey]

[ojongerius]

Same deal.

I have good experience with https://aws.amazon.com/certificate-manager . I see they support importing third-party-certificates. We can either import certificates in to certificate manager or create a new one (it's free).

[ojongerius]

While we are at it, can we update the CNAME? I've deployed stage to the freeCodeCamp account and the URL is now: https://hxtsoafqna.execute-api.us-east-1.amazonaws.com

[raisedadead]

@ojongerius that is the intent. @Bouncey has confirmed that the traffic is not going through CloudFlare, it would need a SSL cert.

One can be created using any method that is suitable. Will you be able to do that using the certificate-manager? Would it need domain verification records (TXT), etc.?

If that is the case, we should just do this over a call with @freeCodeCamp/open-api It will just be faster that way.

[Bouncey]

CNAME updated.

If we send the traffic through cloudflare would it not pick up our https cert? Do we not want this?

[raisedadead]

If we send the traffic through cloudflare would it not pick up our https cert? Do we not want this?

If we send traffic trough CF, then the cert used would be of the ones provided by CF. But since the actual API end point is having a default cert of its own (even when we do not give it one), there is a mismatch.

In that case, it should just directly hit the API as it is bypassing CF.

But this also fails, because we are using a CNAME for the API, which CF flattens out.

So, we need to install a SSL cert at the endpoint. This SSL cert should cover the intended final domain api-stage.freecodecamp.org & api.freecodecamp.org for that matter.

This way after we bypass the CF, and hit the endpoint with our CNAME (flattened) domain, it resolves correctly, because the client sees that the domain is matching the cert (installed at the endpoint)

Hope this clarifies?