Configure SSL/HTTPS access
By default you can access your application using the following domain name: <yourapp>.scalingo.io.
HTTPS is enabled by default for those domains and we recommend you to use it by default to ensure the encryption of the requests to your apps.
We provide a valid certificate which is recognized by all modern browsers and HTTP clients.
If you have a custom domain configured, we provide a valid certificate thanks to Let’s Encrypt certificate.
You can also choose to use your own certificate, in which case it is handled by SNI on our side. To understand what it is and why it’s useful, you can read more here: SNI.
Automatic HTTPS certificate with Let’s Encrypt
However, Let’s Encrypt does not support certificate for wildcard domain. Hence, we will not be able to provide automatic HTTPS certificate in that case.
Generate your own certificate manually
You can add your own domain name to access your application. By default HTTPS is enabled, and fully functional thanks to Let’s Encrypt certificate. However, Let’s Encrypt does not support certificate for wildcard domain. Hence, we will not be able to provide automatic HTTPS with such custom domain.
If you want to use a custom certificate, signed by a different certificate authority, you can still add it. Here are the different steps to follow.
SSL/TLS certificates are free on Scalingo.
1. Create a RSA key pair and a signing request
openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout app.key -out app.csr
You have to enter different information regarding your certificate, but have particular look at:
- Country Name: It has to be the two letters representing your country following the ISO 3166-1
- Common Name: This is the domain name you want to secure. (Example:
Two files have been generated:
app.key: The private key, you have to keep secret
app.csr: The signing request, which has to be signed by a trusted third-party
This command creates a RSA key of 2048 bytes length, you can adapt this value if you wish a stronger key. However, we do not recommend you to use a lower encryption key size.
2. Submit your request to generate a valid certificate
app.csr file has to be signed by an external entity. This service is, in most
of the cases, charged by the authority. But some companies provide certificates
Those are examples, a lot of other companies are providing this service.
3. Upload your key and certificate
Note that both your key and your certificate must be in the PEM format
You can use our command line utility or our web dashboard to upload your key and certificate
With the CLI:
# If the doman has already been defined scalingo domains-ssl --cert ./app.crt --key ./app.key www.example.com # If it is a new domain scalingo domains-add --cert ./app.crt --key ./app.key www.example.com
From our dashboard:
Go to the ‘Domain’ tab of your application, click on the gear of the concerned domain, select the certificate you want to use and the key, then click on ‘Validate’.
In both cases the modification is applied instantly.
How to upload certificate chains
A lot of certificate authorities are providing certificate chains or bundles alongside your signed certificate. To upload all those certificates, you have to create one file, with all the certificates concatenated. First add your certificate, then append all the intermediate certificates of the certificate chain.
===== BEGIN CERTIFICATE ====== .... your certificate ===== END CERTIFICATE ======== ===== BEGIN CERTIFICATE ====== .... intermediate certificate 1 ===== END CERTIFICATE ======== ===== BEGIN CERTIFICATE ====== .... intermediate certificate 2 ===== END CERTIFICATE ========
When it expires or you delete it
If you forget to renew your certificate and it expires, or if you delete it, a Let’s Encrypt certificate will automatically and immediately replace it. Hence your application will always be available using HTTPS.