Loading

Include SNI extension for custom domains using Salesforce Cloud option with Salesforce Edge Network

Publiceringsdatum: Jul 12, 2024
Beskrivning

Customers who use the Salesforce serves the domain over HTTPS on Salesforce’s servers using your HTTPS certificate option for their Salesforce Experience Sites or Salesforce Sites are actively being migrated from a legacy infrastructure to Salesforce Edge Network.


To provide the correct certificate for incoming custom domain requests, Salesforce Edge Network requires web browsers and API clients to include the Server Name Indication (SNI) extension in the TLS ClientHello message when requesting custom domains. 

For most Salesforce customers, certificate handling is transparent. Modern web browsers consistently include SNI in their TLS ClientHello messages as a part of the TLS handshake with Salesforce Edge Network. In the absence of SNI, however, Salesforce Edge Network returns a default certificate that supports all .my.salesforce.com and .sandbox.my.salesforce.com hostnames. This may cause users to experience TLS handshake errors if:
  • An API client tries accessing a custom domain hostname without setting SNI. This can occur because the default certificate returned by Salesforce Edge Network doesn’t include the custom domain hostname.
  • A customer is using Salesforce Experience Sites or Salesforce Sites with a custom domain served by the customer’s own content delivery network (CDN), which then forwards the request to Salesforce Edge network. In this case, the CDN either doesn’t support SNI or doesn’t send the originally requested custom domain hostname through SNI.
In both situations, Salesforce returns an HTTPS certificate that doesn’t cover the custom domain that the API client or the CDN was expecting, resulting in an HTTPS certificate hostname mismatch error.

This article explains how to identify and resolve these use cases.

Symptoms

Users or API clients suddenly start receiving an error or exception in the TLS handshake. For example, an API client or third-party CDN indicates an "SSLHandshakeException" after sending a request to a Salesforce custom domain that uses the Salesforce serves the domain over HTTPS on Salesforce’s servers using your HTTPS certificate option.
Lösning
First, confirm if requests for custom domains are going to Salesforce Edge Network. Open a command prompt and run the following command, where [YourFQDN] is the name of your custom domain and [Your18charOrgId] is your unique 18-character org ID, shown at the top of the Add Domain page:  

Mac
dig +short <YourFQDN>
or
dig +short <[YourFQDN].[Your18charOrgId].live.siteforce.com>

Windows: 
nslookup <[YourFQDN]>
or
nslookup <[YourFQDN].[Your18charOrgId].live.siteforce.com>
 
If Salesforce Edge Network has been enabled for the custom domain, the output will contain references to "edge" or "edge2." If this is the case, and if SNI is in fact being sent, the issue is likely caused by something else. Contact Salesforce support to open a case.

The solution varies depending on the error’s location:

Error during an API Call

Resolution: modify the API client caller to include SNI in its TLS ClientHello message.

Error Between a Third-Party CDN and Salesforce Edge Network

Some Salesforce Experience Sites use custom domains served by a third-party CDN that forwards requests to Salesforce servers hosting the custom domains’ actual certificates. The error occurs between the CDN and Salesforce Edge Network when a user attempts to visit the site.

Resolution: If the CDN’s default error page doesn’t mention the TLS error, check the CDN’s error log.
Otherwise, configure the CDN to include SNI when making a call to Salesforce Edge Network.

Salesforce provides the option to configure your CDN to directly talk to the origin. Consider enabling the A non-Salesforce host or service serves this domain over HTTPS option to serve your custom domain instead of forwarding requests to Salesforce Edge Network.
 
Knowledge-artikelnummer

000389364

 
Laddar
Salesforce Help | Article