Any tips on how to expedite the custom domain process It s b Ory Community #ory-network

Any tips on how to expedite the custom domain proc...

swift-processor-51967

04/23/2025, 3:14 PM

Any tips on how to expedite the custom domain process? It’s been about 20 hours and still pending. The CNAME is configured as such:

Copy code

▶ dig <http://auth.beta.source.coop|auth.beta.source.coop>

; <<>> DiG 9.10.6 <<>> <http://auth.beta.source.coop|auth.beta.source.coop>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27842
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;auth.beta.source.coop.		IN	A

;; ANSWER SECTION:
<http://auth.beta.source.coop|auth.beta.source.coop>.	300	IN	CNAME	<http://optimistic-jackson-tvx6h5ig8s.projects.oryapis.com|optimistic-jackson-tvx6h5ig8s.projects.oryapis.com>.
<http://optimistic-jackson-tvx6h5ig8s.projects.oryapis.com|optimistic-jackson-tvx6h5ig8s.projects.oryapis.com>. 300	IN A 104.18.28.201
<http://optimistic-jackson-tvx6h5ig8s.projects.oryapis.com|optimistic-jackson-tvx6h5ig8s.projects.oryapis.com>. 300	IN A 104.18.29.201

;; Query time: 24 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Wed Apr 23 08:13:23 PDT 2025
;; MSG SIZE  rcvd: 146

steep-lamp-91158

04/23/2025, 5:58 PM

We see this error on our side:

CAA records block issuance. Please remove all CAA records or add records for this authority (pki.goog)

I was under the impression that this type of error is forwarded to the Ory Console, but apparently it's not?

swift-processor-51967

04/23/2025, 7:46 PM

Thanks for this information. I see no error on my side…

swift-processor-51967

04/23/2025, 8:14 PM

Okay, so apparently this CAA record thing is managed on Vercel and cannot be changed: https://vercel.com/guides/change-caa-records-with-vercel-cname Just sharing out in case others find themselves in a similar situation (I’ve not used CAA records before)

steep-lamp-91158

04/23/2025, 8:15 PM

Yeah you have to change the record on your DNS, not vercel. So where you created the Ory CNAME entry, e.g. cloudflare or some other service.

steep-lamp-91158

04/23/2025, 8:16 PM

CAA records are also inherited by subdomains, so in your case it would be on source.coop

steep-lamp-91158

04/23/2025, 8:18 PM

https://www.ory.sh/docs/guides/custom-domains#caa-records

swift-processor-51967

04/23/2025, 8:21 PM

Yeah you have to change the record on your DNS, not vercel.

I’m not entirely sure that this is correct. As per the Vercel docs listed above:

Due to the way CNAME records work, any subdomain with a CNAME record of
<http://cname.vercel-dns.com|cname.vercel-dns.com>
will automatically use the predefined CAA records from this record.

swift-processor-51967

04/23/2025, 8:21 PM

I am verifying that we haven’t set it on our Route53 hosted zone…

swift-processor-51967

04/23/2025, 8:22 PM

Copy code

▶ dig <http://beta.source.coop|beta.source.coop> caa +short
<http://cname.vercel-dns.com|cname.vercel-dns.com>.
0 issue "<http://letsencrypt.org|letsencrypt.org>"
0 issue "<http://globalsign.com|globalsign.com>"
0 issue "<http://sectigo.com|sectigo.com>"

~
▶ dig <http://cname.vercel-dns.com|cname.vercel-dns.com> caa +short
0 issue "<http://letsencrypt.org|letsencrypt.org>"
0 issue "<http://globalsign.com|globalsign.com>"
0 issue "<http://sectigo.com|sectigo.com>"

swift-processor-51967

04/23/2025, 8:23 PM

While I have you, a small gripe: the example domain you present on the Add Domain screen does not conform to the format you require, which is a bit confusing to the end-user

swift-processor-51967

04/23/2025, 8:24 PM

e.g.

swift-processor-51967

04/23/2025, 9:38 PM

Okay, following up on this: https://ory-community.slack.com/archives/C02MR4DEEGH/p1745439667343689?thread_ts=1745421240.084089&cid=C02MR4DEEGH Problem: So, I had a

CNAME

record for

<http://beta.source.coop|beta.source.coop>

that was pointed to

<http://cname.vercel-dns.com|cname.vercel-dns.com>

as per the Vercel docs (https://vercel.com/docs/domains/working-with-domains/add-a-domain#subdomains). I created a

CNAME

record for

<http://auth.beta.source.coop|auth.beta.source.coop>

to point to my ORY account, as per the Ory docs (https://www.ory.sh/docs/guides/custom-domains#setting-up-a-cname-record). However, being that the

<http://auth.beta.source.coop|auth.beta.source.coop>

is a subdomain of

<http://beta.source.coop|beta.source.coop>

and being that

<http://beta.source.coop|beta.source.coop>

is a

CNAME

record to a Vercel domain, the CAA lookup would resolve to the CAA set on the Vercel domain and thus Ory was unable to set up SSL for my subdomain. Fix: Use an

record for

<http://beta.source.coop|beta.source.coop>

(despite what the Vercel docs say). @steep-lamp-91158 does this track with your understanding?

swift-processor-51967

04/23/2025, 9:38 PM

(long story short, https://auth.beta.source.coop now works 🎉)

steep-lamp-91158

04/24/2025, 7:00 AM

couldn't you just set a CAA record for auth.beta.source.coop? regardless, happy it works now

swift-processor-51967

04/24/2025, 3:25 PM

couldn’t you just set a CAA record for auth.beta.source.coop? regardless, happy it works now

That’s a totally reasonable suggestion

swift-processor-51967

04/24/2025, 3:47 PM

Ah, as per Route53 docs:

Copy code

You can't create a CAA record and a CNAME record that have the same name because DNS doesn't allow using the same name for both a CNAME record and any other type of record.

steep-lamp-91158

04/24/2025, 3:53 PM

I see, makes sense I guess

steep-lamp-91158

04/24/2025, 3:54 PM

let me check if we can eventually set them on our side then

Open in Slack

Previous Next