Loading

SSL Certificate Renewals Fail for Subdomains of Tracker Domains

Publiceringsdatum: Apr 15, 2026
Beskrivning

This issue occurs under the following conditions:

 

1) Tracker domain is configured in Account Engagement (e.g., go.company.com)

2) The customer creates a subdomain of that tracker domain (e.g., marketing.go.company.com) for purposes outside of Account Engagement (i.e., the subdomain is not configured in Account Engagement)

3) The customer uses their own Certificate Authority to attempt to obtain or renew an SSL certificate for that subdomain.

 

Account Engagement publishes CAA (Certificate Authority Authorization) records for tracker domains to manage SSL/TLS certificate issuance, and these CAA records apply to a domain and all its subdomains. When a customer creates their own subdomain under a tracker domain that is configured in Account Engagement (e.g., subdomain.go.customercompany.com where go.customercompany.com is the tracker domain), the Account Engagement CAA record restricts which certificate authorities can issue certificates for that subdomain.

 

Impact:

  • Customers cannot obtain SSL/TLS certificates from their preferred CA for subdomains created under tracker domains

  • Existing certificates for these subdomains may fail to renew 

  • Customers cannot override the CAA record for their subdomain due to DNS limitations (for example, CAA records cannot be added to a CNAME)

 

 

 

 

Lösning

Do not create subdomains under your Account Engagement tracker domain. If you need additional domains or subdomains for other purposes, create them as separate domains or under a different parent domain that you fully control.

 

Example:

  • Correct: Tracker domain: go.customercompany.com, Separate subdomain: app.customercompany.com

  • Avoid: Tracker domain: go.customercompany.com, Subdomain of tracker: app.go.customercompany.com

Knowledge-artikelnummer

005316045

 
Laddar
Salesforce Help | Article