I am currently working ISV project which helps Salesforce Customer in the issuance and renewal of CA Signed Certificates, be it with Let's Encrypt or any ACME-compliant CA.
Standard flow of issuance of a CA Signed certificate is as Follow :
- Create a certificate in your org
- Download CSR
- Send it somehow to your CA
- Upload certificate
- Repeat each year or have your users complain about a red padlock
On other plateforms, this is usually solved by Certbot (or any ACME client). No such luck on Salesforce and i aim to fill that gap.
ACME protocol incurs the verification of a certificate identifier (aka domain) ownership by the CA customer.
One of the method is by checking a given file content hosted on a server servicing said domain.
Developing the product, i would like to simulate the actions a customer would take, IE, putting that file in their Experience Cloud site as a static resource with the proper redirect, the problem can be solved.
How ever, within a scratch org, when i attempt to create a custom domain, like any customer would do in their production org, in enconter the following error :
Custom domains aren't allowed in scratch orgs, so you can't add [a domain I own]
Is there any Scratch org feature or setting that may enable this ?
This is the Scratch org def file I currently use.
{
"orgName": "gaelmotte company",
"edition": "Enterprise",
"language": "en_US",
"features": [
"EnableSetPasswordInApi",
"Communities",
"Sites",
"DebugApex"
],
"settings": {
"CommunitiesSettings": {
"enableNetworksEnabled": true
},
"lightningExperienceSettings": {
"enableS1DesktopEnabled": true
},
"mobileSettings": {
"enableS1EncryptedStoragePref2": false
}
}
}
As a workaround, i am considering using orgShapes, but buying a licence just to define a custom domain i may use in my tests when developing the products seems a bit excessive.
Alternatively, i could simulate issuance of certicate for the standard url of the Experience Site (sitename.my.site.com
), but i could not prove :
- Certificate works for said url since i could not deploy it and serve HTTPS content with it
- The whole flow, ie, when a subscriber of my ISV product would use it for their Experience site on a custom domain.
Disclaimer :
i am aware Salesforce recommends using their CDN for Experience Sites, which solves the certifcate issuance and renewal.
It does not however solve every use case (should a customer require to use their OWN CA instead of let's encrypt, yet do noy OWN a CDN, or having issues with akamai cdn for instance)
Thanks for your help on this one 🙂
Cheers
Best Answer
After a call with Salesforce support for the case i oppened, it turns out they simply do not support this due to the short lived nature of scratch orgs and have no plans to.
They suggested I resort to orgShapes instead.