Skip to main content
  • EN

How does everyone have their DNS Records setup for FreshService custom portal url’s? Do you have a CAA Record on the sub domain or the parent domain to allow LetsEncrypt & Google to create certs? Or just the CNAME Record?

 

Long Story:

We have had FreshService for a while now. We currently ran into an issue where our cert, that Freshworks manages, did not renew for the custom url/domain. This caused FreshService to automatically convert our instance off our custom domain and onto a new freshservice domain. I will let you imagine what that means from an integration and auth perspective.

Support can’t seem to figure out how to get us back onto the custom domain. The portal throws errors, which they are blaming it on CAA Record values. RTC Standards state the CAA should be pulled from the CNAME, which would be from the FreshService sub domain that was created for us. Your not supposed to have CAA Records and a CNAME on the same domain. 

 

I noticed there is now two articles for the custom domains. One has no documentation about CAA Records. The newer article from last month states to have CAA Records setup for the subdomain. Curious what config is working for other customers.

 

Hi ​@CoedyZurch .

I’ll write in general about using CNAMES and CAA records, that means, not specifically tied to Freshworks / FreshService:

You can certainly have CNAMES for the custom vanity URL, and at the same time you can have CAA records. They are indeed separate type of records.

The definition states that CAA follow CNAMES in terms of querying, not meaning that they will pull data from CNAMES.

In case you need a CNAME that points to X host and that host uses a cert from CA vendor Y, you need explicit permission in your CAA for that to work.

Hope this clarifies and makes sense.

 

Going now to the specific use case for FreshService: We currently have also setup a vanity/custom URL, for both, FreshService itself and Freshworks login for our instance, all on our own domain, so, CNAMEs are used for both URLs, and we have a single CAA record with the valid CA’s, for all of our domain certs: Let’s Encrypt for FW and other CA vendor for a wildcard we use.

 

Now, jumping to your particular use case, I may suggest to temporarily remove your CAA record; then, FW should be able to get your custom URL back; double check the CA used (ensuring it’s Let’s Encrypt) and create/enable in a new CAA record all your necessary CA’s for your domain.

 

 

Hope this helps.

 

Best,

Elvis

Hello Elvis,

Thanks for the information and responce. We added the CAA Records to the sub domain, but it doesn’t seem to be making a difference. Do you have your CAA Record for LetsEncrypt on your subdomain or on the parent domain?

From my understanding, the RTC Standards state you should not have a CAA Record on the same domain where a CNAME Record exist. If you do, the CNAME should be recognized or used. It seems that is not followed by the entire Industry though. This newer FS Articles says to add the CAA Records to the sub domain, which would go against this practice. This older FS Article does not mentioned a CAA Record. A bit confusing on where to troubleshoot and support keeps sending us in circles.   

 

FreshWorks used Google for our last 90 day cert, which is the one that didn’t renew. All certs before that were going through Lets Encrypt. I am not sure if there is a relation, but just an observation. 

Hello Elvis,

Thanks for the information and responce. We added the CAA Records to the sub domain, but it doesn’t seem to be making a difference. Do you have your CAA Record for LetsEncrypt on your subdomain or on the parent domain?

From my understanding, the RTC Standards state you should not have a CAA Record on the same domain where a CNAME Record exist. If you do, the CNAME should be recognized or used. It seems that is not followed by the entire Industry though. This newer FS Articles says to add the CAA Records to the sub domain, which would go against this practice. This older FS Article does not mentioned a CAA Record. A bit confusing on where to troubleshoot and support keeps sending us in circles.   

 

FreshWorks used Google for our last 90 day cert, which is the one that didn’t renew. All certs before that were going through Lets Encrypt. I am not sure if there is a relation, but just an observation. 

Hi.

I forgot to mention that; I had it on the parent domain, not at subdomain.

.

The definition states that CAA records can be setup for domain and/or subdomains. Subdomains inherit CAA value/permissions from main domain, but it can be overridden. This means that if you are setting up a CAA record at subdomain (for an override), a CAA record must exist for your main/parent domain.

 

Regards,

Elvis

Terms of Use