For a couple of years I have SSL on my personal domain: https://juriansluiman.nl. Now I was using subdomains to access my Google Apps: mail, calendar etc. All these subdomains are configured using Google's recommended approach with CNAMEs. This worked for ages, before and after I started using HTTPS.
A few months ago I started to add a HSTS header on my domain. Somewhat during that time, I also started noticing I couldn't access my Google pages using the subdomains any more.
Example: http://mail.juriansluiman.nl or https://mail.juriansluiman.nl
All my browsers give me a connection error. Tools like web-sniffer.net return me the message "Error while fetching URL". Does anyone know what the specific problem might be?
It has nothing to do with
CNAMErecords per se.However:
The Google Apps services don't have valid certificates for your
mail.example.com,calendar.example.com, etc names.Because of this, they only ever handle HTTP for such names (they just redirect to the appropriate
*.google.comHTTPS url for the relevant service).Therefore, I'm pretty confident that your https://mail.juriansluiman.nl/ example has never worked.
http://mail.juriansluiman.nl/, however, likely used to work before you added the HSTS header.
You only appear to send HSTS headers for some requests (I assume you tried to reverted the config?) but for favicon.ico you send this:
Where includeSubDomains enforces the use of HTTPS for all subdomains in addition to the name that the request for which this header was included in the response.
I'm not sure why you send two HSTS headers but browsers do appear to use the first one with includeSubdomains.