SSL certificate issues

If you use CAA records to control who can issue SSL certificates on your domain, in order to use a Secureframe Trust custom domain, you must allow Google Domains to issue a certificate for your domain.  You do this by adding a CAA record for pki.goog alongside your existing records.  The content delivery network that secures your connections to Secureframe Trust, e.g. Cloudflare, uses Google Domains to issue this certificate on your behalf.  Secureframe does not and will not issue any certificates for your domain.

Check your CAA Records

To see if you are using CAA records today, you can use an online lookup tool such as https://www.nslookup.io/caa-lookup/.  If you are not using CAA records, and don't see any, no action is required.

For detailed background material you can optionally see https://developers.cloudflare.com/ssl/reference/certificate-authorities/ and https://developers.cloudflare.com/ssl/edge-certificates/caa-records/#who-should-create-caa-records: "When adding new Custom Hostname and your customer has existing CAA records. In this case, ask your customer to remove the existing CAA records or add the missing CAA record."

Common Errors

Error 1014: CNAME Cross-User Banned or Error 1001: DNS Resolution Error

If you see this error when you attempt to use a custom Trust Center domain and you're using Cloudflare, you must contact Cloudflare's Abuse team (who controls domain bans) by going to the webform here. 

Important Note: This is not an issue that Secureframe can resolve, so our recommendation is to  contact Cloudfare right away. You can also review Cloudflare Community forum for additional details here. 

If you have an open Secureframe Support Ticket or if you are already in contact with your Customer Success Manager, feel free to keep us informed on your attempt with Cloudflare so that we can review on our end through resolution. 

Error 1014
CNAME Cross-User Banned

What happened?

You've requested a page on a website that is part of the Cloudflare network. The host is configured as a CNAME across accounts on Cloudflare, which is not allowed by Cloudflare's security policy.

What can I do?

If this is an R2 custom domain, it may still be initializing. If you have attempted to manually point a CNAME DNS record to your R2 bucket, you must do it using a custom domain. Refer to R2's documentation for details.

Visit our website to learn more about Cloudflare.

Frequently Asked Questions (FAQ)

I’m trying to configure our Custom URL "setup custom domain" in Secureframe (ex, acmecorp.secureframetrust.com to point to trust.acmecorp.com but it’s not working. What should I check?

If your CNAME is correctly configured but the domain still isn’t working, double-check that the correct custom domain is set in your Trust Center settings.

In one recent case, the user intended to set trust.carelen.com as their custom domain, but had mistakenly entered trust.secureframe.com during setup (see screenshot).

To resolve:

• Go to Trust Center > Settings > DNS

• Remove the incorrect custom domain (if present)

• Re-enter the intended custom domain: trust.acmecorp.com

• In your DNS provider, ensure there is a CNAME record pointing
  trust.acmecorp.com ➝ acmecorp.secureframetrust.com

Once everything is aligned, propagation can take a few minutes to a few hours. If issues persist, reach out to support.

What should I do if contacting Cloudflare doesn’t resolve Error 1014?

If Cloudflare confirms the issue is not on their end, please contact Secureframe Support so we can investigate further. When reaching out, include the following:

• A brief summary of the steps you’ve already taken with Cloudflare

• A screenshot of your current DNS configuration

• The full error message and code you’re seeing

Providing these details will help our team quickly assess if any changes are needed on our end.