NET::ERR_CERT_COMMON_NAME_INVALID error on email reset using SendGrid

Question

I have a Django site which is hosted on GCP App Engine with SendGrid as email host. When resetting the password and clicking on the link in the following email, the subsequent error is thrown:

Your connection is not private
NET::ERR_CERT_COMMON_NAME_INVALID

I've looked into several potential causes (linked at the end) but haven't been able to find a solution.

password_reset_email.html (only displaying the reset_link block)

{% block reset_link %}
{{ protocol }}://{{ domain }}{% url 'password_reset_confirm' uidb64=uid token=token %}
{% endblock %}

settings.py

ALLOWED_HOSTS = ['*']
# Also tried with
#ALLOWED_HOSTS = ['*', 'website.com', 'www.website.com']

# HTTPS settings
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = True

# HSTS settings
SECURE_HSTS_SECONDS = 31536000 # 1 year
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True

# Email backend settings (SendGrid)
EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
DEFAULT_FROM_EMAIL = 'some@email.com'
EMAIL_HOST = 'smtp.sendgrid.net'
EMAIL_HOST_USER = 'apikey'
EMAIL_HOST_PASSWORD = 'EMAIL_HOST_PASSWORD'
EMAIL_PORT = 587
EMAIL_USE_TLS = True

I have authenticated the domain and branded the link on SendGrid which have been verified over the DNS records on Namecheap.

When I look at the certificate in the browser it still refers to *.sendgrid.net though. Perhaps this might be causing it? I thought authentication and link branding would solve that. I've also tried emptying the cache and opening the link in a private window.

I've looked into this, this and this SO question as well.

Any help would be appreciated.

EDIT

Turns out it's related with this SO question as well.

Answer 1

Twilio SendGrid developer evangelist here.

You will need to get SSL Click Tracking turned on so that your CDN can forward SSL content onto SendGrid with a valid certificate for your domain.