Configure SSL/HTTPS access

*.scalingo.io domain

By default you can access your application using the following domain name: <yourapp>.scalingo.io.

HTTPS is enabled by default for those domains and we recommend you to use it by default to ensure the encryption of the requests to your apps.

We provide a valid certificate which is recognized by all modern browsers and HTTP clients.

If you have a custom domain configured, we provide a valid certificate thanks to Let’s Encrypt certificate.

You can also choose to use your own certificate, in which case it is handled by SNI on our side. To understand what it is and why it’s useful, you can read more here: SNI.

Custom domain

Automatic HTTPS certificate with Let’s Encrypt

You can add your own domain name to access your application. By default HTTPS is enabled, and fully functional thanks to Let’s Encrypt certificate.

However, Let’s Encrypt does not support certificate for wildcard domain. Hence, we will not be able to provide automatic HTTPS certificate in that case.

Generate your own certificate manually

You can add your own domain name to access your application. By default HTTPS is enabled, and fully functional thanks to Let’s Encrypt certificate. However, Let’s Encrypt does not support certificate for wildcard domain. Hence, we will not be able to provide automatic HTTPS with such custom domain.

If you want to use a custom certificate, signed by a different certificate authority, you can still add it. Here are the different steps to follow.

SSL/TLS certificates are free on Scalingo.

1. Create a RSA key pair and a signing request

openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout app.key -out app.csr

You have to enter different information regarding your certificate, but have particular look at:

  • Country Name: It has to be the two letters representing your country following the ISO 3166-1
  • Common Name: This is the domain name you want to secure. (Example: www.example.com)

Two files have been generated:

  • app.key: The private key, you have to keep secret
  • app.csr: The signing request, which has to be signed by a trusted third-party

This command creates a RSA key of 2048 bytes length, you can adapt this value if you wish a stronger key. However, we do not recommend you to use a lower encryption key size.

2. Submit your request to generate a valid certificate

Your app.csr file has to be signed by an external entity. This service is, in most of the cases, charged by the authority. But some companies provide certificates for free.

Those are examples, a lot of other companies are providing this service.

3. Upload your key and certificate

Note that both your key and your certificate must be in the PEM format

You can use our command line utility or our web dashboard to upload your key and certificate

With the CLI:

# If the doman has already been defined
scalingo domains-ssl --cert ./app.crt --key ./app.key www.example.com

# If it is a new domain
scalingo domains-add --cert ./app.crt --key ./app.key www.example.com

From our dashboard:

Go to the ‘Domain’ tab of your application, click on the gear of the concerned domain, select the certificate you want to use and the key, then click on ‘Validate’.

In both cases the modification is applied instantly.

How to upload certificate chains

A lot of certificate authorities are providing certificate chains or bundles alongside your signed certificate. To upload all those certificates, you have to create one file, with all the certificates concatenated. First add your certificate, then append all the intermediate certificates of the certificate chain.

Example:

===== BEGIN CERTIFICATE ======
.... your certificate
===== END CERTIFICATE ========
===== BEGIN CERTIFICATE ======
.... intermediate certificate 1
===== END CERTIFICATE ========
===== BEGIN CERTIFICATE ======
.... intermediate certificate 2
===== END CERTIFICATE ========

When it expires or you delete it

If you forget to renew your certificate and it expires, or if you delete it, a Let’s Encrypt certificate will automatically and immediately replace it. Hence your application will always be available using HTTPS.

schedule 08 Jun 2017