we have a SaaS product with close to 1000 vanity domains attached to it by our customers
as we have already started to migrate to Cloudflare we want to migrate these to use
SSL for saas.
vanity domains work with customers adding a c-name to our subdomain
when using the HTTP validation method and switching the base subdomain to Cloudflare we saw a downtime for the domains for a few minutes
since these are already in the production domain we can’t tolerate downtime for our customers
so the option we thought of is to provision the certificate in CF using HTTP validation by verifying the token with our origin as all calls come to our origin for the vanity domains.
this seemed to be a possible option when we tried a few domains
by adding the acme-challenge token to our aws load balancer as a static response
but adding a token manually is not an option for us so we thought to create the hostname using the CF API store the challenge token in a database and respond to the challenge request using a lambda function attached to the load balancer for routes /.well-known/acme-challenge/* URLs
but when we return the response from the lambda function it never gets verified and it gets stuck with
pending HTTP validation
can anyone help with this or have a better idea of migrating the domains to CF without downtime?
Is there a reason why you need to use HTTP validation with your customers, could they not use TXT record DNS validation?
With Cloudflare for Saas (SSL for SaaS) - there are two bits of validation that need to take place - validating the custom hostname, and then the validation for issuing the certificates.
Normally custom hostname validation would take place by your custoner CNAME’ing to your zone, but if that is not an option then you need to do pre-validation which is discussed above. As part of asking them to create a TXT record to pre-validate the custom hostname, you could also add the TXT record required for the certificate.
We have already asked the customers to add a few DNS entries for configuring
vanity domains currently and it’s not feasible for us to ask them again
we wanted to do it without any issues with the customer
also asking 1000 customers to update the DNS and waiting for them to get back is never-ending process as well
First validation is working fine as the customer’s domain is pointing to a CF zone
but only the HTTP validation is failing
and sometimes it works as well
would like to know why its not verifying
We would need to look at the specifics to understand why it is not validating - if your able to share the domain/hostname - alternatively if you do not feel comfortable sharing that here. If you can raise a support ticket and share the ticket ID and we will take a look.
here is the ticket id #3157208
have updated the links and all details in that
So far my findings
when I directly hardcode the verification token in the lambda function its works as expected but when
the data is retrieved from the database (Dynamo DB) it never verified the strings are exactly the same put an equal check in the code and it is exact same strings