I have created a developer edition of a Force.com (Salesforce) as I need to work on poc of a SSO api for work. I changed the domain for the developer edition to alowell-dev-ed.my.salesforce.com (-dev-ed.my.salesforce.com is added by Salesforce as it is a developer edition). I need to create the custom domain so that certs will work in Salesforce.
Part of the setup is that I need a CA-Signed cert. I have created a CA-Signed in Salesforce and downloaded it. But when I run:
sudo certbot certonly --csr dev_cert.csr
I get
An unexpected error occurred:
Error creating new authz :: Policy forbids issuing for name
I imagine that it is because that salesforce.com is blocked? Does that mean it is not possible to use letsencrypt to sign CA-Signed certs for developer editions as they all are a subdomain of my.salesforce.com?
@cpu can comment on this, but my guess is that we would need to discuss directly with Salesforce before permitting issuance for subdomains of their domain. You can see that we have never issued any certificates for subdomains of salesforce.com.
Maybe you could also ask Salesforce what their current intended solution for this is. Their IT security people are quite sophisticated, and I’m sure they recognize the importance of HTTPS support for APIs.
Also, if there’s some way that you can configure the API software to accept being accessed under a different DNS name, you can of course get a certificate for that other name and then access the API that way. But I don’t know how much flexibility you have about this on either the client or the server side.
That's correct. An entity capable of emailing from an "@salesforce.com" address would need to contact us and we could work through the process of removing the high-value block of this domain.