How to configure DNS records to support Yola Hosted SSL

With site security and user success as our top priorities, when building Latitude, we opted to make SSL (https) a requirement for all published websites. The benefits of having a secure website are three-fold:

• SSL ensures the safety of data passed between your customers and their site visitors.
• Google gives priority to secure websites over those that are not.
• Browsers highlight non-secure websites, with threatening red banners. This doesn’t present a good image of the site to the user.  

Best of all, websites that are hosted on Yola's servers are eligible for free SSL provided by Cloudflare. Adding SSL support requires you to configure DNS appropriately.

How to configure the DNS records  

For the best reliability, perform these steps before provisioning the website in Yola. That will allow the SSL certificate to be issued as fast as possible.

1. Select a www subdomain for the website.
2. Create a CNAME DNS record for this site, to HOSTNAME.cdn.cloudflare.net. e.g. www.example.com 60 IN CNAME www.example.com.cdn.cloudflare.net.
3. Create an A DNS record for the bare domain to 52.2.192.9, e.g. example.com 60 IN A 52.2.192.9. This will allow users that visit “example.com” to be redirected to “https://www.example.com/”.
4. Provision the user’s website for this domain (www.example.com).
5. If your partner is not configured to use the “hosted_ssl” feature, provision a CNAME Zone for the site via the API, or the “SSL Setup” button in SBS. Note: When you use hosted_ssl this happens at account provisioning time, so DNS should be set up before user creation.

Verification timeline

Cloudflare will attempt verification for a month, with decreasing frequency. Their docs on the timeline explain this. After this time, the verification is completed.

If the hostname wasn't able to be verified in time (e.g. because DNS wasn't provisioned in time), re-verification can be manually triggered using the re-verify endpoint.

Cloudflare's Universal SSL certificate will be automatically deployed once a CNAME zone has been provisioned (explicitly, or implicitly via the hosted_ssl flag), and the DNS CNAME records have been verified by Cloudflare.

Potential issues

SSL will fail to provision successfully in the following cases:

1. If the correct CNAME DNS record isn’t provisioned within a month after the CNAME zone creation (or User creation, when hosted_ssl is enabled). Re-verification can be manually initiated by Yola’s support team, once the correct CNAME DNS records are in place.
2. If the user has an existing Cloudflare zone for their domain. The user needs to delete it before initiating CNAME zone creation (or User creation, when hosted_ssl is enabled).
3. If there is no valid DNS zone, for the domain, when provisioning the CNAME zone (or User, when hosted_ssl is enabled), it will fail. There must be a working NS delegation to nameservers that are serving the zone (e.g. dig example.com SOA should return a result).
4. If the domain name looks suspicious to Cloudflare, a certificate will not be automatically issued. The exact rules here are not public, and these cases have to be manually escalated when encountered.

Note: We require CNAME DNS records for hostnames we terminate SSL on. DNS doesn't support CNAMEs at the apex of zonerecords, so we need to put the website on a www subdomain of the domain the user purchased. This allows you to use a CNAME DNS record for the site.