Custom domains, Cloudflare and Salesforce Community

We are trying to set up a Salesforce Community with a custom domain and SSL, in this case a sub-domain of our main domain managed by Cloudflare. (This community is not yet launched, hence not including the url)

Salesforce Community requires a CNAME record to point to the individual Salesforce Community instance.

We set up the CNAME record on Cloudflare for the sub-domain, and set up a Client SSL certificate based on the csr from the Salesforce Community server.

Other posts here suggest that:
“When a CNAME record is orange clouded (i.e. proxied) we basically treat it like an A record AND we obfuscate the origin and just return the IP address. As a result if you do a DNS query for CNAME with an orange clouded record you won’t see it (but an A record query will return the destination IP).*
For services which are looking to validate with a specific value obfuscation = bad. So to prevent this you’ll want to make sure the record is DNS only not Proxied.

If we proxy, the CNAME is obfuscated and Salesforce Community doesn’t work, the SSL certificate is fine
If we use DNS only, the Salesforce Community works, but the SSL certificate is untrusted.

Any help, steps or process would be really useful.

Many thanks.

In this scenario the requests are proxied through Cloudflare servers. The end user sees a certificate served by Cloudflare. In the next quote below, you mentioned a problem with an untrusted certificate. The state of that certificate is important here as well for the second leg of the connection - the one between Cloudflare and Salesforce.

The “encryption mode” you’ll find under “SSL/TLS” → “Overview” in the Cloudflare dashboard will affect how this connection is made. It should ideally be Full (Strict) which gives you HTTPS and strict validation of the Salesforce certificate. However, you could try Full if you are currently in the strict mode to see if that helps. :warning: Not recommended as it won’t care about the invalid certificate but can be used to verify the issue. If it starts working, you should get a valid certificate on the Salesforce side and enable Full (Strict).

In this scenario requests are going directly through Salesforce without passing through Cloudflare (other than for the DNS lookup). The untrusted certificate is presented by Salesforce and needs to be fixed on that side.

Note: Encryption mode is domain-wide.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.