We have a ligthning community created using Community Builder.
We are trying to mask the URL (https://unfriendlyUrl.force.com/path) with our own corporate URL (https://community.corpsite.com).
I have been following this salesforce help documentation, as well as various posts on the Salesforce dev forum and Salesforce Stack Exchange, but have not found a definitive answer on if this is possible or not.
Here is the official SFDC documentation:
https://help.salesforce.com/HTViewHelpDoc?id=siteforce_domains.htm&language=en_US
Some Other Links I read (Stack Exchange and Dev Forums):
Force.com site – URL masking:
https://developer.salesforce.com/forums/?id=906F00000008ls0IAA
URL masking of domain name for sites:
https://developer.salesforce.com/forums/?id=906F0000000AWevIAG
URL masking force.com-sites/sites.com:
URL masking force.com-sites/sites.com
So far this is what we've done:
- We created a CNAME subdomain on our corporate website, lets call it
community.corpsite.com
.- We pointed that CNAME to
community.corpsite.com.OUR-18-DIGIT-ORGID.live.siteforce.com
as
instructed in the guide (linked above)- We went to Site Configuration | Domains in Set​up and created
community.corpsite.com
as a domain.- We went to Site.com Studio, Site Configuration | Domains and made sure that the custom domain (
community.corpsite.com
) was listed.- We published the site through both Site.com Studio AND Community Builder
When I go to my browser and go to community.corpsite.com
, it redirects me to https://unfriendlyUrl.force.com/path
, but doesn't mask the URL. This results in our customers having a poor branding experience, since we ask them to go to community.corpsite.com
but they are landing at the force.com URL.
What am I doing wrong? From what I read online in their documentation, they seem to indicate that this is possible, but I can't get it to work. Is this possible? Where do I start, what is my best place for documentation on this?
Could use some help, been struggling with this all day. Thanks for your time!
Best Answer
Alright, so based off the comment exchange we had, I'm going to recommend a little guide to the SSL Chains as they work when trying to import them on a custom domain.
So when you look at the cert chain, most of the time you will see it with its full path. The interesting thing with this is that if you already have the root certificate on your computer and try to export the chain, it will include the trusted root cert in the chain.
After battling this problem with many tools, I ended up finding that using KeyStore Explorer would make this whole process of editing the cert chain a million times easier, so i will cover using it here.
The first thing you want to do is create a new KeyStore and create it with the type of JKS. After this point, you will likely have been given, or have, a PFX of the cert chain from your cert vendor or whatever. You need to know the decryption password btw that binds the key pair. Once you have that, just import the pair into your new keystore (PS its a PKCS #12)
From here, double click on your new import and you'll probably notice that you have the root in your chain. This is a no no. What we want to do is actually remove this from the chain so that Salesforce can map the chain to THEIR trusted root.
So to remove the root from the chain, simply right click on the entry and select "Edit Certificate Chain" and then "Remove Certificate". This will remove the top most cert from the chain, which is exactly what we are looking to do.
If you double click on the entry now, you should see the root certificate out of the cert chain now (Hooray!)
From here, you just need to export out the pair and save it off so you can upload it to Salesforce to link with your domain. You can do this by right clicking on the entry, and selecting "Export" and then "Export Certificate Chain". Leave it with Head Only and X509.
Your end result should now be a CER file without the root certificate, that is now mapping to the hopefully trusted root certificate on your PC. As you can see below, mine binds to the DigiCert trusted root CA, which is one that Salesforce has on their end. For a list of all trusted CA's on the Salesforce side, take a peek here
This should hopefully help you or anyone else peeking at this answer out with the SSL side of a custom domain that requires HTTPS. It looks like you have everything else taken care of as far as the setup side is concerned. If you still have any problems or questions, feel free to post a comment and I can try to help out best i can!