How I configured DNSimple, Cloudflare and Ghost
It's been awhile since I needed to do any configurations with 3rd party services for a website and this week I had the opportunity to take a trip down memory lane.
The first step in creating a website, writing a blog or serving any form of content over the internet is setting up a secure connection between your end user and your content. There are two reasons for this.
As a content provider I want to take steps to help ensure the content my end users are seeing on my website, blog or any other data stream that flows through the internet and to a device is the content I intend to deliver. The advent of service providers like Cloudflare and Let's Encrypt allows small content producers like myself to take the first steps needed to ensure secure communication between ourselves and our end users.
You should be concerned as an end user that any communication between yourself and my content delivery system is secure. Take a look at haveibeenpwned to see a list of websites whose customer information was compromised.
A third reason would be the off putting warnings coming from your browser of choice when you access my website. These warnings immediately generate a feeling of distrust and are a concern to me everytime I have to access AKO using a device that is not on a government network.
As mentioned in this post I made the decision to use the Ghost platform to create the content for this website. I already had a domain name, and a platform to generate and serve content. All I needed to do now was add my domain name to my Cloudflare account and point it to my shiny new content by making a few changes to the text files my DNS provider, DNSimple uses to get you there when you type mikethrom.com into your browser.
Too easy. Change a few variables, click a couple of option boxes and my content will be delivered securely to my users and my website will get a little green lock letting everyone know that I'm doing the right thing as a content provider.
I did just that. I changed a few variables, clicked a few option boxes and my content was ... unreachable ...
I remembered how fun it is to get other people's toys to play nice. This is the price you pay when you don't create everything from scratch. I read the documentation/FAQs from all three providers and still ran into a major problem.
After changing said variables and options, running the nslookup, ping -a and tracert commands as well as seeking advice from DNSimple and Ghost for two days in the scant space between lectures, homework and course study I finally figured out the puzzle.
The above name command line tools were going nowhere at first. I continued to modify the records trying to get a stable and consistent return IP address. This led me to believe the forwarding instructions were either stuck in a loop or not registering as a switch between point a and point b somewhere along the line.
I finally got a consistent return IP address while a subnetting discussion was taking place in class, realized that DNSimple was not sending all requests to Cloudflare and doing what I wanted. I couldn't make any changes though, because the CNAME record pointing from DNSimple over to Cloudflare that allows Cloudflare to forward my domain over to the content hosted at Ghost was in a text file on my laptop at home.
These are the steps I took to fix my problem. If you stumbled upon this post because you have a similar problem I hope they point you in the right direction.
I deleted my domain from Cloudflare, knowing it would keep previously applied settings because I had done this a few other times.
I went to DNSimple, made a backup of the DNS Zone file then deleted all A, CNAME, ALIAS, TXT and URL records so I was left with the default NS records and the SOA record for DNSimple. I did not have any MX records at this point.
I manually created the two NS records for the Cloudflare name servers that would be re-assigned to my domain when I added it again.
I made a backup of and then deleted the DNSSEC record from DNSimple.
I added Cloudflare as a “One-Click-Service” through DNS Simple.
Then I created two CNAME records:
CNAME mysite.com is an alias of my-site.ghost.io
CNAME www.mysite.com is an alias of mysite.com
Then I created two page rules:
https://www.mysite.com/* // Forwarding URL: (Status Code: 301 – Permanent Redirect, Url: https://my-site.ghost.io/$1)
http://www.mysite.com/* // Forwarding URL: (Status Code: 301 – Permanent Redirect, Url: https://my-site.ghost.io/$1)
I ensured the Custom Domain field in the Ghost Admin/Account panel was set to
Once the name servers were propagated and Cloudflare was active I enabled DNSSEC on Cloudflare and then entered the DNSSEC info in DNSimple, having to lookup the mnemonic for the algorithm number provided by Cloudflare at the iana.org website.
I'm blaming the whole ordeal on the fact that I had a unique situation that nobody could plausibly test for while in the development stage.
I had registered my domain with Cloudflare about three months ago so I could test some basic routing calls through DNSimple, Cloudflare and Microsoft's Azure platform. My decision to go a different direction and have the content presented to you here hosted and managed by a different entity (thus saving me from back-end management chores) led to a series of events that required me to troubleshoot the issue by using deductive logic to fix the problem I had created.
Some of the blame is on me for not paying attention or making zone file backups. However this was a good excercise in shaking off the rust, integrating the skills I'm learning in the MSSA program and fixing what could have been a 90 day 'trouble ticket' between three 3rd party services.
I'm betting within the next five years all content providing platforms (even those at the regular public consumer level) will have secure connections integrated from inception without the need to pay extra money, jump through hoops or contact technical support.
I think the market will demand basic SSL or similar data transmission security services are built into products at the base tier pricepoint and the providers/manufacturers will have no choice but to allow it - because I also like to think they're working on something better.