Configuring SSL/HTTPS access
*.scalingo.io Domain
By default you can access your application using the following domain name:
my-app.region-name.scalingo.io
. Replace region-name
with the region where
you have created your application (e.g. osc-fr1
).
HTTPS is enabled by default for those domains and we recommend you to use it by default to ensure the encryption of the requests to your apps.
We provide a valid certificate which is recognized by all modern browsers and HTTP clients.
If you have a custom domain configured, we provide a valid certificate thanks to Let’s Encrypt certificate.
You can also choose to use your own certificate. We use SNI in such case. To understand what it is and why it is useful, you can read more here: SNI on Wikipedia.
Custom Domain
Automatic HTTPS Certificate with Let’s Encrypt
You can add your own domain name to access your application. By default HTTPS is enabled, and fully functional thanks to Let’s Encrypt certificate.
By default, we automatically generate a certificate for every domain added to the platform. Let’s Encrypt certificates have a 90 days validity. We follow Let’s Encrypt recommendation and renew them every 60 days automatically. You do not need to do anything manually!
If you prefer to use a certificate signed by a different certificate authority, feel free to add it by following the instructions.
If you forget to renew your custom certificate and it expires, or if you delete it, a Let’s Encrypt certificate will automatically and immediately replace it. Hence your application will always be available using HTTPS.
If your DNS configuration is not valid or if we fail to generate a certificate, the platform will automatically retry to generate it later. The time between those tries is determined using an exponential backoff algorithm. We will wait 1 minute for the first retry, 2 minutes for the second, 4 minutes for the third and so on. This algorithm is capped at a minimum of one try per day.
Limit: Number of Certificate per Domain
The platform is limited by official Let’s Encrypt quotas.
There is a maximum of 50 generated certificates per domain per week. The domain here mentions the root domain, so having a certificate for www.example.com
, app.example.com
and example.com
counts for 3.
Let’s Encrypt Certificate Statuses
On the dashboard, you may find your Let’s Encrypt certificate with various statuses:
- Pending DNS: when you link a domain name to your application, we wait for it to target our infrastructure before generating the certificate. We check the DNS record automatically every 60 seconds.
- Creating: our infrastructure is exchanging messages with Let’s Encrypt servers to generate your certificate.
- In use: your website is available using HTTPS connections thanks to a Let’s Encrypt certificate.
- Not used: your website is available using HTTPS connections thanks to a custom certificate. If it expires or if you remove it, your website will be available using HTTPS connections thanks to a Let’s Encrypt certificate.
- Action required: to achieve the creation of your Let’s Encrypt certificates for a wildcard domain, you may be asked to do something. See wildcard domain documentation for more information.
Disable Let’s Encrypt Certificate Generation
As explained on this page, by default we try to generate Let’s Encrypt TLS certificate for all domains added to applications. However you might want to disable completely this feature. You can do it by creating your domain with our command line tool or directly through our API
scalingo --app my-app domains-add --no-letsencrypt www.example.com
That way, we will never contact Let’s Encrypt servers for the given domain.
Increase your Domain Name Security
One way to increase a domain name security is to configure a DNS record of type CAA. It let you
specifies which certificate authority is allowed to generate a TLS certificate for your domain name.
Not all DNS provider let you configure this record. You can find a non-comprehensive list of
providers which support it on this page. If your domain name is
example.com
, you can indicate that only Let’s Encrypt is allowed to generate a certificate for
this subdomain and all subdomain with:
example.com. IN CAA 0 issue "letsencrypt.org"
More information about CAA record on the Let’s Encrypt documentation.
Generate your Own Certificate Manually
You can add your own domain name to access your application. By default HTTPS is enabled, and fully functional thanks to Let’s Encrypt certificate.
If you want to use a custom certificate, signed by a different certificate authority, you can still add it. Here are the different steps to follow:
1. Create a RSA key pair and a signing request
openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout app.key -out app.csr
You have to enter different information regarding your certificate, but have particular look at:
- Country Name: It has to be the two letters representing your country following the ISO 3166-1
-
Common Name: This is the domain name you want to secure. (Example:
www.example.com
)
Two files have been generated:
-
app.key
: The private key, you have to keep secret -
app.csr
: The signing request, which has to be signed by a trusted third-party
2. Submit your request to generate a valid certificate
Your app.csr
file has to be signed by an external entity. This service is, in most
of the cases, charged by the authority. But some companies provide certificates
for free.
Those are examples, a lot of other companies are providing this service.
3. Upload your key and certificate
You can use our command line utility or our web dashboard to upload your key and certificate
With the CLI:
# If the doman has already been defined
scalingo domains-ssl --cert ./app.crt --key ./app.key www.example.com
# If it is a new domain
scalingo domains-add --cert ./app.crt --key ./app.key www.example.com
From our dashboard:
Go to the ‘Domain’ tab of your application, click on ‘Custom certificate’ of the concerned domain. Select the certificate you want to use and the key, then click on ‘Validate’.
In both cases the modification is applied instantly.
How to Upload Certificate Chains
A lot of certificate authorities provide certificate chains or bundles alongside your signed certificate (most common is the Certification Authority, but they may supply any intermediary certificates).
To upload all those certificates, you have to create one file, with all the certificates concatenated in the PEM format. This is a textual format, so any text editor is able to do it.
File Formats and Conversions
Your certificates may have been supplied in a binary format: if you
have a .cer
, .crt
or .der
file, it should be binary. But those
extensions are sometimes used for PEM files too.
You can check by opening the file with a text editor: if you see “BEGIN CERTIFICATE”, then it’s textual. If this is a binary file, your editor should tell you so.
In the latter case, you can convert it to text using openssl
. The following command
should work on Linux-based OS and macOS:
openssl x509 -inform DER -in <yourcertificate.crt> -out yourcertificate.pem
Creating the Bundle
Create a file (for instance, certificate.pem
). First add your certificate,
then append all the intermediate certificates of the certificate chain:
Example:
-----BEGIN CERTIFICATE-----
.... your certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.... intermediate certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.... intermediate certificate 2
-----END CERTIFICATE-----
When it Expires or you Delete it
If you forget to renew your certificate and it expires, or if you delete it, a Let’s Encrypt certificate will automatically and immediately replace it. Hence your application will always be available using HTTPS.