#Getting Error 1014: CNAME Cross-User Banned on domains pointing CNAME to my account

18 messages · Page 1 of 1 (latest)

frozen silo
#

I understand that domains pointing CNAME records to my domain are blocked if the domains are not set up in the same cloudflare account, and I understand that if I upgrade to PRO then I can contact support to lift this restriction.

My question is: can this restriction be lifted for all domains at once, or does it have to be done for each domain individually?

I will upgrade if it can be done for all domains.

I run a url shortening service and there will be new domains with CNAME record pointing to my domain every time a new user adds a domain.

Thanks!

#

It specifies here this:

To allow CNAME 41 record resolution to a domain in a different Cloudflare account, the domain owner of the CNAME 41 target must contact Cloudflare Support 89 and specify the domains allowed to CNAME 41 to their target domain. A Cloudflare Pro, Business, or Enterprise plan is required on the target domain for Cloudflare Support to change default CNAME 41 restrictions.

https://community.cloudflare.com/t/error-1014-cname-cross-user-banned-how-to-resolve/324935

However, I need it to allow any domain, not just the ones I manually ask to be allowed.

Can this be done?

Cloudflare Community
Error 1014: CNAME Cross-User Banned how to resolve?

Hello, I have try to resolve this issue last two days. How to resolve this issue? how to contact technical person? how to resolve easily? becuase i only update the cname record then after try to verify but issue is cloudflare banned the cname on the sub-domain. Try to connect with gitbook. please resolve this issue. My site is only document. pl...

frozen silo
#

hello?

cedar yacht
# frozen silo hello?

what you're looking for is CF for SaaS: https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/
It takes care of certificate issuing as well, and lets people CNAME to your account, and traffic flows to the fallback origin you set up. It's what Cloudflare Pages uses under the hood for Custom Domains for example, as well as Shopify and a few other companies

Cloudflare for SaaS · Cloudflare for Platforms docs

Cloudflare for SaaS allows you to extend the security and performance benefits of Cloudflare’s network to your customers via their own custom or …

frozen silo
#

Thank you @cedar yacht I'm looking into it.

According to the documentation this is available on free plans, but when I try to enable it I'm presented with a payment form. What gives?

cedar yacht
#

available on free plans as an addon

Free, Pro, and Business Plan: Free for the first 100 hostnames and $0.10 a month for each additional custom hostname.

frozen silo
#

thank you!

frozen silo
#

@cedar yacht I have added one hostname manually to test. One weird thing is that it seems that domain has now inherited TXT records from the main domain.

How can I avoid that?

cedar yacht
# frozen silo <@905865275583365161> I have added one hostname manually to test. One weird thin...

That's how cnames work, but you can CNAME to anything in that domain proxied. For example, make a record called links.yourdomain.com, type: AAAA, value: 100::, proxied. Won't work to visit directly, but you can cname to it from another domain, and if it's added in your Custom hostnames tab, it'll follow the fallback origin set there instead.
You could also cname directly to your fallback origin if it's proxied, doesn't really matter. It's like an entry to CF, and the route is determined by the custom hostname link existing, just important that it's to your domain

frozen silo
#

Thanks @cedar yacht that worked. Do you know is there's any way that my customers can simply add the CNAME record to their domain name but not have to add a TXT record for validation of the certificate?

cedar yacht
# frozen silo Thanks <@905865275583365161> that worked. Do you know is there's any way that my...

You can do it with just the CNAME -- called HTTP Validation: https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/http/
via the API you just pass http validation method, and you can select it under cert. validation via the dash as well

HTTP domain control validation (DCV) · Cloudflare for Platforms docs

HTTP validation involves adding a DCV token to your customer’s origin.

frozen silo
#

That worked great thanks. So when a hostname is added and verified with HTTP method, how are the certificates renewed? I've added two domains but the certificates expire after one year. Do I need to do anything to renew them, or they renew automatically?

cedar yacht
# frozen silo That worked great thanks. So when a hostname is added and verified with HTTP met...

automatic, they use the /.well-known/acme-challenge path, can find more info on http challenges here: https://letsencrypt.org/docs/challenge-types/

Challenge Types

When you get a certificate from Let’s Encrypt, our servers validate that you control the domain names in that certificate using “challenges,” as defined by the ACME standard. Most of the time, this validation is handled automatically by your ACME client, but if you need to make some more complex configuration decisions, it’s useful to know more ...

autumn belfry
#

@cedar yacht Hi, I also met this issue when I access R2 bucket objects, using custom domian linked to the bucket. It's weired that I can't active/disable/delete the domain from the R2 setting dashboard. It's current status is "unknown". (1) Click active/disable the domain in R2 setting, nothing happened. (2) Click delete, it would report error: "We encountered an internal error. Please try again. (Code: 10001)".

cedar yacht
autumn belfry
#

The zone has Edge Certificates cover it and it's subdomain (wildcard).