@sdayman and @daniel47, we have the same issue.
Here’s our setup:
Kubernetes on AWS, Cloudflare proxy enabled for the CNAME record pointing to the k8s load balancer.
SendGrid, presently, configured without Cloudflare proxy - this is their automated CNAME record e.g. urlXXXX.domain pointing to sendgrid.net
Up until a couple days ago, we were unable to turn on Cloudflare’s proxy.
Now, we are able to do so - BUT this causes a separate issue which I presume is why you disabled the option in the first place (see below).
A couple days ago, IE11 users (primarily) and mobile Chrome users, started seeing “Blocked Request: Unable to verify certificate” and “ERR_CERT_COMMON_NAME_INVALID” errors when trying to connect using these links.
My feeling is that a recent change forces the non-HTTPS SendGrid links to be converted to HTTPS, which is causing the issue as SendGrid does not auto-provision a custom SSL for their customer’s domain.
Now that we can enable Proxying of the CNAME record again, if we do that, the Whitelabelled link verification fails on Sendgrid (dig doesn’t resolve the record as sendgrid dot net even though it technically does end up there).
And that causes links in our transactional emails to fall back to sendgrid.net domain links, not our domain’s.
They say this (enabling HTTPS links on their side, and therefore provisioning a certificate) can be done “upon request to support after enabling Full SSL and the Proxy on Cloudflare” but 1) they don’t reply and 2) why would they ask that Full SSL and the Cloudflare proxy be enabled on the CNAME record?
This leaves us with:
- Either Certificate failures if we do not enable the Cloudflare proxy, or,
- Non-whitelabelled links from “our domain” if we enable the proxy.
Is there a way to set something up on Cloudflare, after enabling Full SSL and the Proxy, for the CNAME verification to succeed on SendGrid’s side?
I’m surprised that in Daniel’s case however initially having the proxy enabled means you would still get domain-branded links, as presumably SendGrid’s verification would fail, unless you emailed them and they enabled SSL?