Loading

Your custom domain might stop working if your domain’s CAA record doesn’t allow Let’s Encrypt to issue certificates for it.

Udgivelsesdato: Jun 2, 2023
Beskrivelse

Symptoms 

If you received an email with the following text, this article provides some available solutions. 
 
It looks like the DNS Certification Authority Authorization (CAA) record for <your custom domain> doesn't contain letsencrypt.org. Salesforce CDN for Digital Experiences uses Let's Encrypt as its certificate authority for <your custom domain>. Salesforce periodically removes custom domains that don't contain letsencrypt.org in their CAA records from the CDN for Digital Experiences. If Salesforce removes your custom domain from the CDN, you can reselect the domain HTTPS option through the Domains page in Setup after you update your CAA record.

Cause

There are two possible causes:
  1. Your domain contains a CAA record in DNS which doesn’t allow Let’s Encrypt.
  2. Your domain in DNS has Let’s Encrypt as a CAA record but it also has a CNAME record. Although some DNS vendors allow this configuration, it’s not supported per RFC standards. Due to this non-standard use case, DNS resolvers around the world will return different results when queried for CAA record causing inconsistencies. 
In both instances, the Salesforce server generates the email you received.
Løsning
There are three options, using help.demo.com as an example custom domain: 
  1. Add Let’s Encrypt as a CAA record to your domain. (“demo.com”)
  2. Remove the CAA records from your domain. (demo.com will have no CAA record)
  3. If the previous options are not feasible, use an ALIAS record instead of a CNAME record and add the CAA record to it. (help.demo.com will use an alias instead of CNAME,  and will also contain the CAA record letsencrypt.org).  
    Note: you must have a DNS vendor that can support this scenario. 
If you don’t take any action, your domain might stop working. 
 

Additional information

Prerequisites for the Salesforce CDN
Let’sEncrypt
Vidensartikelnummer

000395604

 
Indlæser
Salesforce Help | Article