2 · Subdomains + SSL

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: 2 · Subdomains + SSL
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/02-subdomains-ssl/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 4
- step_number: 2
- est_time: ~20–40 min (+ DNS propagation)
- description: Plan the subdomain map, add A/CNAME records, provision SSL/TLS certificates, force HTTP→HTTPS, and confirm everything with a five-check CLI verification (dig, HEAD, redirect, proxy, cert details).
- tags: codecanyon, dns, ssl, tls

## Execution rules (binding)
- This is step 2 of phase 4 (~20–40 min (+ DNS propagation)) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# 2 · Subdomains + SSL

## TL;DR

**Objective** — give staging and production each a reachable hostname and a valid certificate **before** the first deploy (Deployer flips a symlink, it doesn't issue certs), so the deploy lands on a working HTTPS origin.

:::note[User part + done-when]
**👤 User part** — the DNS records and certificate provisioning happen in your DNS provider / hosting panel: a person adds the A/CNAME records and enables the host's AutoSSL. An agent plans the hostnames and runs the five CLI verification checks, but it can't click "add record" or "issue cert" in a dashboard.

**Done when** every hostname resolves via `dig` to the right IP, HTTPS returns 200/301, HTTP force-redirects to HTTPS, and the cert is valid, covers the host, and auto-renews. &nbsp;·&nbsp; **⏱ ~20–40 min (+ DNS propagation)** &nbsp;·&nbsp; 🔀 mixed (👤 DNS/cert dashboards, 🤖 verification).
:::

## Background

Staging and production each need a reachable hostname and a valid certificate **before** the first deploy — Deployer flips a symlink, it doesn't issue certs. This page gets DNS and TLS green so the deploy lands on a working HTTPS origin.

## Steps

### 1. Plan the subdomain map

Decide the hostnames up front so DNS, certs, and your app's `APP_URL` all agree.

| Environment | Example host | Points to |
|---|---|---|
| Staging | `staging.example.com` | Staging server IP (or Cloudflare proxy) |
| Production | `app.example.com` / `example.com` | Production server IP |
| Apex redirect | `example.com → www` (or vice-versa) | Pick one canonical, 301 the other |

Keep apex vs `www` decisions consistent with `APP_URL` in **[3 · Production .env](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/)**. A mismatch breaks absolute URLs, signed routes, and cookie domains.

### 2. Add the DNS records

Create one record per host at your DNS provider (or Cloudflare — see **[6 · Cloudflare CDN](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/)**).

:::note[Who does this]
👤 **User** adds each DNS record in the DNS provider's dashboard — an agent can't click "add record."
:::

| Type | Name | Value | Notes |
|---|---|---|---|
| `A` | `staging` | `<server IPv4>` | Apex/subdomain → IP |
| `AAAA` | `staging` | `<server IPv6>` | Only if the server has IPv6 |
| `CNAME` | `www` | `example.com` | Alias one name to the canonical |

:::caution[Propagation is not instant]
DNS changes can take minutes to hours. Verify with `dig` (below) rather than a browser, which caches aggressively. Lower the TTL before a planned cutover.
:::

### 3. Provision the SSL/TLS certificate

Use your host's automated Let's Encrypt integration (cPanel AutoSSL, Forge, Ploi, or `certbot`). One cert per hostname, or a wildcard if your panel supports DNS-01.

:::note[Who does this]
👤 **User** issues the certificate in the hosting panel (AutoSSL / Forge / Ploi) — a dashboard action an agent can't perform.
:::

- Issue for **every** hostname that serves traffic, including `www`.
- Enable **auto-renewal** — Let's Encrypt certs expire every 90 days.
- Force **HTTP → HTTPS** at the web server (or via Cloudflare "Always Use HTTPS").

### 4. Verify with five CLI checks

Don't trust the browser — run these and read the output.

<Steps>

1. **Run the five-check verification pass.**

   ```bash
   # 1) DNS resolves to the expected IP
   dig +short staging.example.com

   # 2) HTTPS responds (expect HTTP/2 200 or 301/302 to the canonical host)
   curl -sI https://staging.example.com | head -1

   # 3) HTTP redirects to HTTPS (expect 301/308 with a https:// Location)
   curl -sI http://staging.example.com | grep -iE 'HTTP/|location'

   # 4) Behind Cloudflare? Confirm the proxy is in front
   curl -sI https://staging.example.com | grep -i 'cf-ray' && echo "proxied" || echo "direct"

   # 5) Certificate is valid and covers the host
   echo | openssl s_client -connect staging.example.com:443 -servername staging.example.com 2>/dev/null \
     | openssl x509 -noout -subject -issuer -dates
   # Expected: dig returns your IP, HEAD is 200/301, HTTP redirects to HTTPS, and the cert notAfter is in the future with subject matching the host
   ```

   - ✅ `dig` returns your IP, the HEAD request is `200`/`301`, HTTP redirects to HTTPS, and the cert's `notAfter` date is in the future and `subject` matches the host.

</Steps>

### Troubleshooting

| Symptom | Cause | Fix |
|---|---|---|
| `dig` returns nothing / wrong IP | Record missing or not propagated | Re-check the record; wait for TTL |
| `curl` cert error | Cert not issued / wrong host | Re-run AutoSSL; ensure host is in the cert SAN |
| Redirect loop | Cloudflare SSL mode `Flexible` + origin forcing HTTPS | Set Cloudflare SSL to **Full (Strict)** (see page 6) |
| `NET::ERR_CERT_COMMON_NAME_INVALID` | Cert doesn't list this host | Reissue covering all hostnames |

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **🤖 Hostnames resolve** — every environment hostname resolves via `dig` to the correct IP.
- [ ] **🤖 HTTPS + redirect** — HTTPS returns 200/301 and HTTP force-redirects to HTTPS.
- [ ] **👤 Cert valid + auto-renew** — certificate is valid, covers the host, and auto-renewal is on.
- [ ] **🔀 Canonical matches `APP_URL`** — apex vs `www` decision matches the planned `APP_URL`.

:::next[Next step]
[Production .env](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/)
:::

# 2 · Subdomains + SSL

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/02-subdomains-ssl/

## TL;DR

**Objective** — give staging and production each a reachable hostname and a valid certificate **before** the first deploy (Deployer flips a symlink, it doesn't issue certs), so the deploy lands on a working HTTPS origin.

:::note[User part + done-when]
**👤 User part** — the DNS records and certificate provisioning happen in your DNS provider / hosting panel: a person adds the A/CNAME records and enables the host's AutoSSL. An agent plans the hostnames and runs the five CLI verification checks, but it can't click "add record" or "issue cert" in a dashboard.

**Done when** every hostname resolves via `dig` to the right IP, HTTPS returns 200/301, HTTP force-redirects to HTTPS, and the cert is valid, covers the host, and auto-renews. &nbsp;·&nbsp; **⏱ ~20–40 min (+ DNS propagation)** &nbsp;·&nbsp; 🔀 mixed (👤 DNS/cert dashboards, 🤖 verification).
:::

## Background

Staging and production each need a reachable hostname and a valid certificate **before** the first deploy — Deployer flips a symlink, it doesn't issue certs. This page gets DNS and TLS green so the deploy lands on a working HTTPS origin.

## Steps

### 1. Plan the subdomain map

Decide the hostnames up front so DNS, certs, and your app's `APP_URL` all agree.

| Environment | Example host | Points to |
|---|---|---|
| Staging | `staging.example.com` | Staging server IP (or Cloudflare proxy) |
| Production | `app.example.com` / `example.com` | Production server IP |
| Apex redirect | `example.com → www` (or vice-versa) | Pick one canonical, 301 the other |

Keep apex vs `www` decisions consistent with `APP_URL` in **[3 · Production .env](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/)**. A mismatch breaks absolute URLs, signed routes, and cookie domains.

### 2. Add the DNS records

Create one record per host at your DNS provider (or Cloudflare — see **[6 · Cloudflare CDN](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/)**).

:::note[Who does this]
👤 **User** adds each DNS record in the DNS provider's dashboard — an agent can't click "add record."
:::

| Type | Name | Value | Notes |
|---|---|---|---|
| `A` | `staging` | `<server IPv4>` | Apex/subdomain → IP |
| `AAAA` | `staging` | `<server IPv6>` | Only if the server has IPv6 |
| `CNAME` | `www` | `example.com` | Alias one name to the canonical |

:::caution[Propagation is not instant]
DNS changes can take minutes to hours. Verify with `dig` (below) rather than a browser, which caches aggressively. Lower the TTL before a planned cutover.
:::

### 3. Provision the SSL/TLS certificate

Use your host's automated Let's Encrypt integration (cPanel AutoSSL, Forge, Ploi, or `certbot`). One cert per hostname, or a wildcard if your panel supports DNS-01.

:::note[Who does this]
👤 **User** issues the certificate in the hosting panel (AutoSSL / Forge / Ploi) — a dashboard action an agent can't perform.
:::

- Issue for **every** hostname that serves traffic, including `www`.
- Enable **auto-renewal** — Let's Encrypt certs expire every 90 days.
- Force **HTTP → HTTPS** at the web server (or via Cloudflare "Always Use HTTPS").

### 4. Verify with five CLI checks

Don't trust the browser — run these and read the output.

<Steps>

1. **Run the five-check verification pass.**

   ```bash
   # 1) DNS resolves to the expected IP
   dig +short staging.example.com

   # 2) HTTPS responds (expect HTTP/2 200 or 301/302 to the canonical host)
   curl -sI https://staging.example.com | head -1

   # 3) HTTP redirects to HTTPS (expect 301/308 with a https:// Location)
   curl -sI http://staging.example.com | grep -iE 'HTTP/|location'

   # 4) Behind Cloudflare? Confirm the proxy is in front
   curl -sI https://staging.example.com | grep -i 'cf-ray' && echo "proxied" || echo "direct"

   # 5) Certificate is valid and covers the host
   echo | openssl s_client -connect staging.example.com:443 -servername staging.example.com 2>/dev/null \
     | openssl x509 -noout -subject -issuer -dates
   # Expected: dig returns your IP, HEAD is 200/301, HTTP redirects to HTTPS, and the cert notAfter is in the future with subject matching the host
   ```

   - ✅ `dig` returns your IP, the HEAD request is `200`/`301`, HTTP redirects to HTTPS, and the cert's `notAfter` date is in the future and `subject` matches the host.

</Steps>

### Troubleshooting

| Symptom | Cause | Fix |
|---|---|---|
| `dig` returns nothing / wrong IP | Record missing or not propagated | Re-check the record; wait for TTL |
| `curl` cert error | Cert not issued / wrong host | Re-run AutoSSL; ensure host is in the cert SAN |
| Redirect loop | Cloudflare SSL mode `Flexible` + origin forcing HTTPS | Set Cloudflare SSL to **Full (Strict)** (see page 6) |
| `NET::ERR_CERT_COMMON_NAME_INVALID` | Cert doesn't list this host | Reissue covering all hostnames |

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **🤖 Hostnames resolve** — every environment hostname resolves via `dig` to the correct IP.
- [ ] **🤖 HTTPS + redirect** — HTTPS returns 200/301 and HTTP force-redirects to HTTPS.
- [ ] **👤 Cert valid + auto-renew** — certificate is valid, covers the host, and auto-renewal is on.
- [ ] **🔀 Canonical matches `APP_URL`** — apex vs `www` decision matches the planned `APP_URL`.

:::next[Next step]
[Production .env](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/)
:::

TL;DR

Objective — give staging and production each a reachable hostname and a valid certificate before the first deploy (Deployer flips a symlink, it doesn’t issue certs), so the deploy lands on a working HTTPS origin.

Background

Staging and production each need a reachable hostname and a valid certificate before the first deploy — Deployer flips a symlink, it doesn’t issue certs. This page gets DNS and TLS green so the deploy lands on a working HTTPS origin.

Steps

1. Plan the subdomain map

Decide the hostnames up front so DNS, certs, and your app’s APP_URL all agree.

Environment	Example host	Points to
Staging	`staging.example.com`	Staging server IP (or Cloudflare proxy)
Production	`app.example.com` / `example.com`	Production server IP
Apex redirect	`example.com → www` (or vice-versa)	Pick one canonical, 301 the other

Keep apex vs www decisions consistent with APP_URL in 3 · Production .env. A mismatch breaks absolute URLs, signed routes, and cookie domains.

2. Add the DNS records

Create one record per host at your DNS provider (or Cloudflare — see 6 · Cloudflare CDN).

Type	Name	Value	Notes
`A`	`staging`	`<server IPv4>`	Apex/subdomain → IP
`AAAA`	`staging`	`<server IPv6>`	Only if the server has IPv6
`CNAME`	`www`	`example.com`	Alias one name to the canonical

3. Provision the SSL/TLS certificate

Use your host’s automated Let’s Encrypt integration (cPanel AutoSSL, Forge, Ploi, or certbot). One cert per hostname, or a wildcard if your panel supports DNS-01.

Issue for every hostname that serves traffic, including www.
Enable auto-renewal — Let’s Encrypt certs expire every 90 days.
Force HTTP → HTTPS at the web server (or via Cloudflare “Always Use HTTPS”).

4. Verify with five CLI checks

Don’t trust the browser — run these and read the output.

Run the five-check verification pass.

# 1) DNS resolves to the expected IP
dig +short staging.example.com

# 2) HTTPS responds (expect HTTP/2 200 or 301/302 to the canonical host)
curl -sI https://staging.example.com | head -1

# 3) HTTP redirects to HTTPS (expect 301/308 with a https:// Location)
curl -sI http://staging.example.com | grep -iE 'HTTP/|location'

# 4) Behind Cloudflare? Confirm the proxy is in front
curl -sI https://staging.example.com | grep -i 'cf-ray' && echo "proxied" || echo "direct"

# 5) Certificate is valid and covers the host
echo | openssl s_client -connect staging.example.com:443 -servername staging.example.com 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates
# Expected: dig returns your IP, HEAD is 200/301, HTTP redirects to HTTPS, and the cert notAfter is in the future with subject matching the host

✅ dig returns your IP, the HEAD request is 200/301, HTTP redirects to HTTPS, and the cert’s notAfter date is in the future and subject matches the host.

Troubleshooting

Symptom	Cause	Fix
`dig` returns nothing / wrong IP	Record missing or not propagated	Re-check the record; wait for TTL
`curl` cert error	Cert not issued / wrong host	Re-run AutoSSL; ensure host is in the cert SAN
Redirect loop	Cloudflare SSL mode `Flexible` + origin forcing HTTPS	Set Cloudflare SSL to Full (Strict) (see page 6)
`NET::ERR_CERT_COMMON_NAME_INVALID`	Cert doesn’t list this host	Reissue covering all hostnames

Checklist

Do not mark this step done until every box below is checked.

🤖 Hostnames resolve — every environment hostname resolves via dig to the correct IP.
🤖 HTTPS + redirect — HTTPS returns 200/301 and HTTP force-redirects to HTTPS.
👤 Cert valid + auto-renew — certificate is valid, covers the host, and auto-renewal is on.
🔀 Canonical matches APP_URL — apex vs www decision matches the planned APP_URL.

Production .env

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: 2 · Subdomains + SSL
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/02-subdomains-ssl/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 4
- step_number: 2
- est_time: ~20–40 min (+ DNS propagation)
- description: Plan the subdomain map, add A/CNAME records, provision SSL/TLS certificates, force HTTP→HTTPS, and confirm everything with a five-check CLI verification (dig, HEAD, redirect, proxy, cert details).
- tags: codecanyon, dns, ssl, tls

## Execution rules (binding)
- This is step 2 of phase 4 (~20–40 min (+ DNS propagation)) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# 2 · Subdomains + SSL

## TL;DR

**Objective** — give staging and production each a reachable hostname and a valid certificate **before** the first deploy (Deployer flips a symlink, it doesn't issue certs), so the deploy lands on a working HTTPS origin.

:::note[User part + done-when]
**👤 User part** — the DNS records and certificate provisioning happen in your DNS provider / hosting panel: a person adds the A/CNAME records and enables the host's AutoSSL. An agent plans the hostnames and runs the five CLI verification checks, but it can't click "add record" or "issue cert" in a dashboard.

**Done when** every hostname resolves via `dig` to the right IP, HTTPS returns 200/301, HTTP force-redirects to HTTPS, and the cert is valid, covers the host, and auto-renews. &nbsp;·&nbsp; **⏱ ~20–40 min (+ DNS propagation)** &nbsp;·&nbsp; 🔀 mixed (👤 DNS/cert dashboards, 🤖 verification).
:::

## Background

Staging and production each need a reachable hostname and a valid certificate **before** the first deploy — Deployer flips a symlink, it doesn't issue certs. This page gets DNS and TLS green so the deploy lands on a working HTTPS origin.

## Steps

### 1. Plan the subdomain map

Decide the hostnames up front so DNS, certs, and your app's `APP_URL` all agree.

| Environment | Example host | Points to |
|---|---|---|
| Staging | `staging.example.com` | Staging server IP (or Cloudflare proxy) |
| Production | `app.example.com` / `example.com` | Production server IP |
| Apex redirect | `example.com → www` (or vice-versa) | Pick one canonical, 301 the other |

Keep apex vs `www` decisions consistent with `APP_URL` in **[3 · Production .env](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/)**. A mismatch breaks absolute URLs, signed routes, and cookie domains.

### 2. Add the DNS records

Create one record per host at your DNS provider (or Cloudflare — see **[6 · Cloudflare CDN](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/)**).

:::note[Who does this]
👤 **User** adds each DNS record in the DNS provider's dashboard — an agent can't click "add record."
:::

| Type | Name | Value | Notes |
|---|---|---|---|
| `A` | `staging` | `<server IPv4>` | Apex/subdomain → IP |
| `AAAA` | `staging` | `<server IPv6>` | Only if the server has IPv6 |
| `CNAME` | `www` | `example.com` | Alias one name to the canonical |

:::caution[Propagation is not instant]
DNS changes can take minutes to hours. Verify with `dig` (below) rather than a browser, which caches aggressively. Lower the TTL before a planned cutover.
:::

### 3. Provision the SSL/TLS certificate

Use your host's automated Let's Encrypt integration (cPanel AutoSSL, Forge, Ploi, or `certbot`). One cert per hostname, or a wildcard if your panel supports DNS-01.

:::note[Who does this]
👤 **User** issues the certificate in the hosting panel (AutoSSL / Forge / Ploi) — a dashboard action an agent can't perform.
:::

- Issue for **every** hostname that serves traffic, including `www`.
- Enable **auto-renewal** — Let's Encrypt certs expire every 90 days.
- Force **HTTP → HTTPS** at the web server (or via Cloudflare "Always Use HTTPS").

### 4. Verify with five CLI checks

Don't trust the browser — run these and read the output.

<Steps>

1. **Run the five-check verification pass.**

   ```bash
   # 1) DNS resolves to the expected IP
   dig +short staging.example.com

   # 2) HTTPS responds (expect HTTP/2 200 or 301/302 to the canonical host)
   curl -sI https://staging.example.com | head -1

   # 3) HTTP redirects to HTTPS (expect 301/308 with a https:// Location)
   curl -sI http://staging.example.com | grep -iE 'HTTP/|location'

   # 4) Behind Cloudflare? Confirm the proxy is in front
   curl -sI https://staging.example.com | grep -i 'cf-ray' && echo "proxied" || echo "direct"

   # 5) Certificate is valid and covers the host
   echo | openssl s_client -connect staging.example.com:443 -servername staging.example.com 2>/dev/null \
     | openssl x509 -noout -subject -issuer -dates
   # Expected: dig returns your IP, HEAD is 200/301, HTTP redirects to HTTPS, and the cert notAfter is in the future with subject matching the host
   ```

   - ✅ `dig` returns your IP, the HEAD request is `200`/`301`, HTTP redirects to HTTPS, and the cert's `notAfter` date is in the future and `subject` matches the host.

</Steps>

### Troubleshooting

| Symptom | Cause | Fix |
|---|---|---|
| `dig` returns nothing / wrong IP | Record missing or not propagated | Re-check the record; wait for TTL |
| `curl` cert error | Cert not issued / wrong host | Re-run AutoSSL; ensure host is in the cert SAN |
| Redirect loop | Cloudflare SSL mode `Flexible` + origin forcing HTTPS | Set Cloudflare SSL to **Full (Strict)** (see page 6) |
| `NET::ERR_CERT_COMMON_NAME_INVALID` | Cert doesn't list this host | Reissue covering all hostnames |

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **🤖 Hostnames resolve** — every environment hostname resolves via `dig` to the correct IP.
- [ ] **🤖 HTTPS + redirect** — HTTPS returns 200/301 and HTTP force-redirects to HTTPS.
- [ ] **👤 Cert valid + auto-renew** — certificate is valid, covers the host, and auto-renewal is on.
- [ ] **🔀 Canonical matches `APP_URL`** — apex vs `www` decision matches the planned `APP_URL`.

:::next[Next step]
[Production .env](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/)
:::

# 2 · Subdomains + SSL

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/02-subdomains-ssl/

## TL;DR

**Objective** — give staging and production each a reachable hostname and a valid certificate **before** the first deploy (Deployer flips a symlink, it doesn't issue certs), so the deploy lands on a working HTTPS origin.

:::note[User part + done-when]
**👤 User part** — the DNS records and certificate provisioning happen in your DNS provider / hosting panel: a person adds the A/CNAME records and enables the host's AutoSSL. An agent plans the hostnames and runs the five CLI verification checks, but it can't click "add record" or "issue cert" in a dashboard.

**Done when** every hostname resolves via `dig` to the right IP, HTTPS returns 200/301, HTTP force-redirects to HTTPS, and the cert is valid, covers the host, and auto-renews. &nbsp;·&nbsp; **⏱ ~20–40 min (+ DNS propagation)** &nbsp;·&nbsp; 🔀 mixed (👤 DNS/cert dashboards, 🤖 verification).
:::

## Background

Staging and production each need a reachable hostname and a valid certificate **before** the first deploy — Deployer flips a symlink, it doesn't issue certs. This page gets DNS and TLS green so the deploy lands on a working HTTPS origin.

## Steps

### 1. Plan the subdomain map

Decide the hostnames up front so DNS, certs, and your app's `APP_URL` all agree.

| Environment | Example host | Points to |
|---|---|---|
| Staging | `staging.example.com` | Staging server IP (or Cloudflare proxy) |
| Production | `app.example.com` / `example.com` | Production server IP |
| Apex redirect | `example.com → www` (or vice-versa) | Pick one canonical, 301 the other |

Keep apex vs `www` decisions consistent with `APP_URL` in **[3 · Production .env](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/)**. A mismatch breaks absolute URLs, signed routes, and cookie domains.

### 2. Add the DNS records

Create one record per host at your DNS provider (or Cloudflare — see **[6 · Cloudflare CDN](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/)**).

:::note[Who does this]
👤 **User** adds each DNS record in the DNS provider's dashboard — an agent can't click "add record."
:::

| Type | Name | Value | Notes |
|---|---|---|---|
| `A` | `staging` | `<server IPv4>` | Apex/subdomain → IP |
| `AAAA` | `staging` | `<server IPv6>` | Only if the server has IPv6 |
| `CNAME` | `www` | `example.com` | Alias one name to the canonical |

:::caution[Propagation is not instant]
DNS changes can take minutes to hours. Verify with `dig` (below) rather than a browser, which caches aggressively. Lower the TTL before a planned cutover.
:::

### 3. Provision the SSL/TLS certificate

Use your host's automated Let's Encrypt integration (cPanel AutoSSL, Forge, Ploi, or `certbot`). One cert per hostname, or a wildcard if your panel supports DNS-01.

:::note[Who does this]
👤 **User** issues the certificate in the hosting panel (AutoSSL / Forge / Ploi) — a dashboard action an agent can't perform.
:::

- Issue for **every** hostname that serves traffic, including `www`.
- Enable **auto-renewal** — Let's Encrypt certs expire every 90 days.
- Force **HTTP → HTTPS** at the web server (or via Cloudflare "Always Use HTTPS").

### 4. Verify with five CLI checks

Don't trust the browser — run these and read the output.

<Steps>

1. **Run the five-check verification pass.**

   ```bash
   # 1) DNS resolves to the expected IP
   dig +short staging.example.com

   # 2) HTTPS responds (expect HTTP/2 200 or 301/302 to the canonical host)
   curl -sI https://staging.example.com | head -1

   # 3) HTTP redirects to HTTPS (expect 301/308 with a https:// Location)
   curl -sI http://staging.example.com | grep -iE 'HTTP/|location'

   # 4) Behind Cloudflare? Confirm the proxy is in front
   curl -sI https://staging.example.com | grep -i 'cf-ray' && echo "proxied" || echo "direct"

   # 5) Certificate is valid and covers the host
   echo | openssl s_client -connect staging.example.com:443 -servername staging.example.com 2>/dev/null \
     | openssl x509 -noout -subject -issuer -dates
   # Expected: dig returns your IP, HEAD is 200/301, HTTP redirects to HTTPS, and the cert notAfter is in the future with subject matching the host
   ```

   - ✅ `dig` returns your IP, the HEAD request is `200`/`301`, HTTP redirects to HTTPS, and the cert's `notAfter` date is in the future and `subject` matches the host.

</Steps>

### Troubleshooting

| Symptom | Cause | Fix |
|---|---|---|
| `dig` returns nothing / wrong IP | Record missing or not propagated | Re-check the record; wait for TTL |
| `curl` cert error | Cert not issued / wrong host | Re-run AutoSSL; ensure host is in the cert SAN |
| Redirect loop | Cloudflare SSL mode `Flexible` + origin forcing HTTPS | Set Cloudflare SSL to **Full (Strict)** (see page 6) |
| `NET::ERR_CERT_COMMON_NAME_INVALID` | Cert doesn't list this host | Reissue covering all hostnames |

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **🤖 Hostnames resolve** — every environment hostname resolves via `dig` to the correct IP.
- [ ] **🤖 HTTPS + redirect** — HTTPS returns 200/301 and HTTP force-redirects to HTTPS.
- [ ] **👤 Cert valid + auto-renew** — certificate is valid, covers the host, and auto-renewal is on.
- [ ] **🔀 Canonical matches `APP_URL`** — apex vs `www` decision matches the planned `APP_URL`.

:::next[Next step]
[Production .env](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/)
:::