#nickdnk_docs
slender sparrowBOT
π Welcome to your new thread!
β²οΈ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.
β±οΈ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.
π This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1354117615886536704
π Have more to share? Add more details, code, screenshots, videos, etc. below.
velvet basin
Hello, I am less familiar with how these domains work. Reaching out for a colleague to help look in to this
somber tartan
My plan here is to temporarily add letsencrypt and then move the CAA record to the subdomain level once Stripe is satisfied, as this should still work correctly
slender sparrowBOT
crisp granite
Hi hi! Jumping in for my colleague on this. Let me just read back a wee bit.
somber tartan
No problem
I know for sure this works, because we already do this with letsencrypt, just for a service not on Stripe
crisp granite
Right, but with Stripe, it specifically won't work: https://docs.stripe.com/payments/checkout/custom-domains?payment-ui=stripe-hosted#your-caa-record-is-at-the-same-level-as-your-custom-domain-name
somber tartan
Yes, but why?
This was the doc I linked to originally
I dont see any technical reason why you would require letsencrypt at the root level
(because letsencrypt doesnt)
You can read the official RFC for the CAA property here: https://datatracker.ietf.org/doc/html/rfc8659 - see 4.2 with examples for how these restrictions apply to subdomains and section 3 for the actual procedure for resolving the CAA restrictions - that is, starting at the subdomain and walking up until a record is found.
crisp granite
I understand that it may be possible given no constraints, but given the "Stripe built it in such a way that this is not possible" constraint, it's not possible.
crisp granite
That's not what's happening or what I said.
Can you send me that screenshot unredacted so I can see the actual problem please?
somber tartan
I can't, because the modal is gone and the domain is currently in validation. But it's just sub.domain.tld and I put letsencrypt CAA at sub.domain.tld which is sufficient for what you are trying to do with that domain for this purpose of having Stripe use our subdomain. I don't want to add the root domain because this technically gives Stripe the power/ability to issue certificates for any subdomain. To work around this, I have two options:
- I use a sub-sub-domain for the payment domain, which just looks stupid, i.e.
sub.sub.domain.tld, as this would allow CAA atsub.domain.tldaccording to Stripe - I wait for Stripe to accept all of this and start using the domain (currently pending), then move the CAA record back to
sub.domain.tld(where it belongs) fromdomain.tldwhere it currently resides.
crisp granite
You have a CAA record for the subdomain you're trying to use for Checkout, ya? I believe that's where the issue is.
It's near impossible to diagnose without the actual data though.
somber tartan
You have a CAA record for the subdomain you're trying to use for Checkout, ya? ...
I do, yes, as that is the domain Stripe should only ever operate under. If you DM me, I can send you back the domain, I prefer to keep it out of the public thread.
crisp granite
Fair.
crisp granite
Your message could not be delivered. This is usually because you don't share a server with the recipient or the recipient is only accepting direct messages from friends.
somber tartan
Weird, I have enabled this for Stripe
give me a second
dont know what else to do
I also cannot DM you π
Beautiful
somber tartan
oh no it's not unfurling gifs for me π
I see magic here, no worries
crisp granite
ΰ² _ΰ²
somber tartan
To clarify exactly what I'm querying here: Why do you need the ability to issue certificates for any subdomain? It should not be necessary to do this when you only operate on a subdomain level, and it certianly isn't for letscrypt, so I'm just curious why. It's not like I'm suspecting stripe would abuse the ability, but from a principle of least privilege, I would prefer to not allow letsencrypt to issue certificates for our other domains as we would never need that.
crisp granite
Totally valid question.
crisp granite
Right. Ok. So are you using the payment subdomain for anything other than the hosted Stripe stuff?
crisp granite
Perfect.
somber tartan
and if I put the CAA at that domain, it doesn't let me add the domain
crisp granite
Why do you have a CAA on the subdomain it at all then?
somber tartan
because I have AWS CAA on the root
which disallows anyone to issue any certificates for our domain, except AWS
this protects our domain from rogue certificates, in theory
that's the whole idea behind the CAA record anyway
somber tartan
Exactly
crisp granite
Which, again, fair.
somber tartan
I want to allow letsencrypt only on payment.domain.tld (and any subdomains on there)
isolating stripe's (and letsencrypt's) ability to issue certificates to that domain tree only
And like I said, i already do this with other things that use letsencrypt
So to me this looks like an implementation oversight with the DNS requirements for stripe hosted pages
Because what I'm suggesting should work
crisp granite
Right. I think we should move this convo over to a support case so we can dig further - you okay with that?
somber tartan
Yes
acct_17xDxxL7ilRdQXxE is our account
I guess you can get what you need from there?
You can just us cornelis as the email inbox instead of the customer one we have listed
same domain
crisp granite
I can do some magic, hold on.
slender sparrowBOT
Hello @somber tartan, we have sent you a direct message, please check it at https://discord.com/channels/@me/1354142589347172487
- πThe message has instructions on how to open a direct support case with our Developer Support team, in order to help you more effectively.
somber tartan
Done
crisp granite
Boom, ok. We can follow up there! π
somber tartan
Thank you. I appreciate this channel so much. It's always so much better than official support.
More companies should do this for tech stuff
crisp granite
You're very welcome! π
I'm gonna close this thread but you can always come back here and access it for reference, or open a new one. π
slender sparrowBOT