SSL for SaaS if users are already on Cloudflare?
We're trying to automate the flow for our customers to connect their own domain name to our platform, for which we use "SSL for SaaS" with Cloudflare.
Following this article: https://blog.cloudflare.com/introducing-ssl-for-saas/ we use the dig command ($ dig CNAME +short support.yourcustomer.site) to verify that our users have correctly added the CNAME.
The problem we're facing, is that if our users are already using Cloudflare, this command returns nothing. We also cannot scan their DNS as CF converts CNAMEs to CF's own IPS, so we're struggling to figure out how to verify the DNS have been setup correctly before we make a request to the CF API to generate an SSL for them.
Any suggestions for this?
The Cloudflare Blog
Introducing SSL for SaaS
If you’re running a SaaS company, you know how important it is that your application is performant, highly available, and hardened against attack.
13 Replies
The problem we're facing, is that if our users are already using Cloudflare, this command returns nothing. We also cannot scan their DNS as CF converts CNAMEs to CF's own IPS,Gitbook and others "solve" this by telling anyone using Cloudflare to make the records DNS-only
so we're struggling to figure out how to verify the DNS have been setup correctly before we make a request to the CF API to generate an SSL for them.Hmm, when you add the Custom Hostname, it should continiously retry. If you're using HTTP Validation, the Custom Hostname details will give you a
ownership_verification_http object containing the http_url it's checking for. You could manually fetch that and see if it's working/returning the right response as well, potentially.
Not sure this as big as an issue as you may think, if it suceeds it'll work, otherwise it'll be stuck pending and you can inform your users of steps to take to fix it, etc
You should still be able to query if anything (CNAME, AAAA/A records) exist on the hostname at all, even is on CF. So you could ensure they added somethingwell usually if they're already using CF, it will already be "active"
so yes it will return "something"
but that doesn't mean they added the DNS to point at our zone
Telling your users to make the record dns-only also solves a few potential issues with their cf setup, forcing ssl, etc
thanks, that's helpful, we'll add that too
Talking about DNS Queries? If you tell them to add a subdomain like
yourproduct.example.com, and you query for yourproduct.example.com, unless they added a wildcard record or specifically a record there, DNS would return noerror with no a records/cnames
It gets more complex if your product is the type to take over the root domain, they'd probably already have something there..yeh often our users want to use their root domain
but sometimes it's a subdomain
we were just hoping there was a way we could verify that the (sub)domain they provide us is correctly pointing at our CNAME, even if they were already using CF
but it sounds liek there isn't
which is fine, we'll jsut go with what you suggested (just try it and see)
Add the custom hostname, if it works, it is, if not, it's not, pretty much it. Anything else would cause a way for people to figure out what proxied records/CNAMEs are pointing at (which isn't something Cloudflare would want)
makes sense
A lot of other companies use CF for SaaS/SSL for SaaS, looking over their docs on how they do things, Gitbook insist users don't proxy: https://docs.gitbook.com/publishing/custom-domain/configure-dns#are-you-using-cloudflare
adding some text like that/trying to convice people/showing a screenshot of dns-only might not be a bad idea
I was wondering if there was some way we could host a file on our servers, then see if that exists via the domain our users provide, but we have "always use https" and of course the request fails until we inititiate the SSL in CF for that hostname
if we created a rule to "not use https" for that specirfic path to the file, woudl that work?
or woudl traffic just not reach our servers at all until we create the custom hostname for that user in CF?
not until you added the custom hostname, CF would reject it with cname cross-user banned
after you add it though, and you weren't forcing https, you might still get stuck by them having proxy enabled with always use https
right
ok thanks