By default you can access your application using the following domain name: my-app.scalingo.io.
HTTPS is enabled by default for those domains and we recommend you to use it by default to ensure the encryption of the requests to your apps.
We provide a valid certificate which is recognized by all modern browsers and HTTP clients.
If you have a custom domain configured, we provide a valid certificate thanks to Let’s Encrypt certificate.
You can also choose to use your own certificate. We use SNI in such case. To understand what it is and why it is useful, you can read more here: SNI on Wikipedia.
Automatic HTTPS certificate with Let’s Encrypt
We automatically generate a certificate for every domain added to the platform. Let’s Encrypt certificates have a 90 days validity. We follow Let’s Encrypt recommendation and renew them every 60 days automatically. You do not need to do anything manually!
If you prefer to use a certificate signed by a different certificate authority, feel free to add it by following the instructions.
If you forget to renew your custom certificate and it expires, or if you delete it, a Let’s Encrypt certificate will automatically and immediately replace it. Hence your application will always be available using HTTPS.
Let’s Encrypt certificate statuses
On the dashboard, you may find your Let’s Encrypt certificate with various statuses:
- Pending DNS: when you link a domain name to your application, we wait for it to target our infrastructure before generating the certificate. We check the DNS record automatically every 60 seconds.
- Creating: our infrastructure is exchanging messages with Let’s Encrypt servers to generate your certificate.
- In use: your website is available using HTTPS connections thanks to a Let’s Encrypt certificate.
- Not used: your website is available using HTTPS connections thanks to a custom certificate. If it expires or if you remove it, your website will be available using HTTPS connections thanks to a Let’s Encrypt certificate.
- Not for wildcard: Let’s Encrypt certificates are not yet available for wildcard domain.
Generate your own certificate manually
If you want to use a custom certificate, signed by a different certificate authority, you can still add it. Here are the different steps to follow:
1. Create a RSA key pair and a signing request
openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout app.key -out app.csr
You have to enter different information regarding your certificate, but have particular look at:
- Country Name: It has to be the two letters representing your country following the ISO 3166-1
Common Name: This is the domain name you want to secure. (Example:
Two files have been generated:
app.key: The private key, you have to keep secret
app.csr: The signing request, which has to be signed by a trusted third-party
2. Submit your request to generate a valid certificate
app.csr file has to be signed by an external entity. This service is, in most
of the cases, charged by the authority. But some companies provide certificates
Those are examples, a lot of other companies are providing this service.
3. Upload your key and certificate
You can use our command line utility or our web dashboard to upload your key and certificate
With the CLI:
# If the doman has already been defined scalingo domains-ssl --cert ./app.crt --key ./app.key www.example.com # If it is a new domain scalingo domains-add --cert ./app.crt --key ./app.key www.example.com
From our dashboard:
Go to the ‘Domain’ tab of your application, click on ‘Custom certificate’ of the concerned domain. Select the certificate you want to use and the key, then click on ‘Validate’.
In both cases the modification is applied instantly.
How to upload certificate chains
A lot of certificate authorities provide certificate chains or bundles alongside your signed certificate. To upload all those certificates, you have to create one file, with all the certificates concatenated. First add your certificate, then append all the intermediate certificates of the certificate chain.
-----BEGIN CERTIFICATE----- .... your certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- .... intermediate certificate 1 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- .... intermediate certificate 2 -----END CERTIFICATE-----
When it expires or you delete it
If you forget to renew your certificate and it expires, or if you delete it, a Let’s Encrypt certificate will automatically and immediately replace it. Hence your application will always be available using HTTPS.