So, almost a year ago, I setup HSTS on my site and submitted it to Google's preload list. Now, I have a problem because I whitelabeled my sendgrid link tracking, which relies on a cname for a subdomain of my site. So, those links fail and get a NET::ERR_CERT_COMMON_NAME_INVALID
error in Chrome because the SSL certificate the browser receives is from SendGrid.
Is there a way to resolve this? Chrome's preload list expects all my subdomains to be served over SSL with a cert tied to my actual domain. Is there a way to quickly get Chrome to delete that expectation for my subdomains? Or is there a way to change SendGrid settings so that I eliminate the CNAME record and my subdomain redirects to the SendGrid domain? Perhaps something else.
By the way, my subdomain has its own SSL certificate.
I'm willing to switch to a different domain for my link tracking if necessary, but then I'll need a way to rewrite the links in old customer emails.
You can use a CDN such as Fastly or CloudFlare to perform SSL termination on your SendGrid click tracking links. They will terminate SSL (which will satisfy your HSTS config) and proxy the request to SendGrid for click tracking / redirection.
There is some additional information here: https://sendgrid.com/docs/Classroom/Build/Add_Content/content_delivery_networks.html
You essentially want to configure Fastly / CloudFlare to proxy the requests, reach out to SendGrid support to have them verify and enable "SSL click tracking" for your account. Once they confirm that everything is set up as expected, you can then update the CNAME on your subdomain to point to the CDN provider rather than to SendGrid directly.
You also have the option to set up Apache with mod_proxy to terminate SSL and proxy the requests directly to SendGrid.