Resources for Developers

Configuring SSL/HTTPS access

*.scalingo.io domain

By default you can access your application using the following domain name: my-app.scalingo.io.

HTTPS is enabled by default for those domains and we recommend you to use it by default to ensure the encryption of the requests to your apps.

We provide a valid certificate which is recognized by all modern browsers and HTTP clients.

If you have a custom domain configured, we provide a valid certificate thanks to Let’s Encrypt certificate.

You can also choose to use your own certificate. We use SNI in such case. To understand what it is and why it is useful, you can read more here: SNI on Wikipedia.

Custom domain

Automatic HTTPS certificate with Let’s Encrypt

You can add your own domain name to access your application. By default HTTPS is enabled, and fully functional thanks to Let’s Encrypt certificate.

We automatically generate a certificate for every domain added to the platform. Let’s Encrypt certificates have a 90 days validity. We follow Let’s Encrypt recommendation and renew them every 60 days automatically. You do not need to do anything manually!

If you prefer to use a certificate signed by a different certificate authority, feel free to add it by following the instructions.

If you forget to renew your custom certificate and it expires, or if you delete it, a Let’s Encrypt certificate will automatically and immediately replace it. Hence your application will always be available using HTTPS.

Let’s Encrypt certificate statuses

On the dashboard, you may find your Let’s Encrypt certificate with various statuses:

  • Pending DNS: when you link a domain name to your application, we wait for it to target our infrastructure before generating the certificate. We check the DNS record automatically every 60 seconds.
  • Creating: our infrastructure is exchanging messages with Let’s Encrypt servers to generate your certificate.
  • In use: your website is available using HTTPS connections thanks to a Let’s Encrypt certificate.
  • Not used: your website is available using HTTPS connections thanks to a custom certificate. If it expires or if you remove it, your website will be available using HTTPS connections thanks to a Let’s Encrypt certificate.

Generate your own certificate manually

You can add your own domain name to access your application. By default HTTPS is enabled, and fully functional thanks to Let’s Encrypt certificate.

If you want to use a custom certificate, signed by a different certificate authority, you can still add it. Here are the different steps to follow:

1. Create a RSA key pair and a signing request

openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout app.key -out app.csr

You have to enter different information regarding your certificate, but have particular look at:

  • Country Name: It has to be the two letters representing your country following the ISO 3166-1
  • Common Name: This is the domain name you want to secure. (Example: www.example.com)

Two files have been generated:

  • app.key: The private key, you have to keep secret
  • app.csr: The signing request, which has to be signed by a trusted third-party

2. Submit your request to generate a valid certificate

Your app.csr file has to be signed by an external entity. This service is, in most of the cases, charged by the authority. But some companies provide certificates for free.

Those are examples, a lot of other companies are providing this service.

3. Upload your key and certificate

You can use our command line utility or our web dashboard to upload your key and certificate

With the CLI:

# If the doman has already been defined
scalingo domains-ssl --cert ./app.crt --key ./app.key www.example.com

# If it is a new domain
scalingo domains-add --cert ./app.crt --key ./app.key www.example.com

From our dashboard:

Go to the ‘Domain’ tab of your application, click on ‘Custom certificate’ of the concerned domain. Select the certificate you want to use and the key, then click on ‘Validate’.

In both cases the modification is applied instantly.

How to upload certificate chains

A lot of certificate authorities provide certificate chains or bundles alongside your signed certificate. To upload all those certificates, you have to create one file, with all the certificates concatenated. First add your certificate, then append all the intermediate certificates of the certificate chain.

Example:

-----BEGIN CERTIFICATE-----
.... your certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.... intermediate certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.... intermediate certificate 2
-----END CERTIFICATE-----

When it expires or you delete it

If you forget to renew your certificate and it expires, or if you delete it, a Let’s Encrypt certificate will automatically and immediately replace it. Hence your application will always be available using HTTPS.


mode_edit Suggest edits