By default, all domain names (ending in scalingo.io) are protected by a wildcard certificate issued by Gandi. This certificate is managed by the platform. It automatically allows any application hosted on Scalingo to be reached via both http and https as soon as they are created.

When adding a custom domain name, Scalingo automatically leverage Let’s Encrypt to generate a dedicated TLS certificate.

Once issued, a Let’s Encrypt certificate is given a 90 days validity period. The platform ensures all certificates are renewed when necessary. This process is fully automated and integrated, so you don’t have to worry about it.

The platform also follows Let’s Encrypt best practices by starting the renewal process when a certificate is 60 days old. If the renewal process fails, the platform automatically retries later. The delay between each attempt is determined using an exponential backoff algorithm. This algorithm is capped to a minimum of one attempt per day.

Certificate Statuses

At Scalingo, a Let’s Encrypt certificate can have one of these statuses:

Pending DNS

When you link a domain name to your application, we wait for it to target our infrastructure before generating the certificate. We check the DNS record automatically every 60 seconds.

Creating

Our infrastructure is exchanging messages with Let’s Encrypt servers to generate your certificate.

In use

Your website is available using HTTPS connections thanks to a Let’s Encrypt certificate.

Not used

Your website is available using HTTPS connections thanks to a custom certificate.

Action required

To achieve the creation of your Let’s Encrypt certificate for a wildcard domain, please follow these additional instructions.

Technical Considerations

• The platform is limited by official Let’s Encrypt quotas to a maximum of 50 generated certificates per apex domain per week. Generating a certificate for www.example.com, app.example.com, and example.com within the same week would count as 3.

Using a Wildcard Domain

When the platform generates a Let’s Encrypt certificate for a wildcard domain, an additional TXT DNS record must be added to the corresponding zone file. This TXT RR allows the platform to verify you are indeed owning the domain name.

This mandatory action is highlighted by the “Action required” status shown on the dashboard. Clicking on the question mark gives you the instructions and the value of the TXT record to create.

Here is an example of such a TXT RR:

NAME                         TTL   TYPE    VALUE
_acme-challenge.example.com  120   TXT     5TWm4V7xoUpGax-58FrPO49

This TXT record must be updated every three months for the platform to be able to renew the certificate.

This renewal process can be done manually, or it can be automated when working with several registrars. We currently support Azure DNS, Cloudflare, dnsimple, Gandi, Google Cloud DNS, GoDaddy, OVH Cloud, and AWS Route 53.

To allow us do the work for you, you’ll have to create a few environment variables.

Azure DNS

The following environment variables must be created and properly filled:

For more information about Azure DNS, see their documentation.

Cloudflare

The following environment variables must be created and properly filled:

For more information about Cloudflare, see their documentation.

dnsimple

The following environment variables must be created and properly filled:

For more information about dnsimple, see theirdocumentation.

Gandi

Gandi

The following environment variables must be created and properly filled:

For more information about Gandi, see their documentation.

Gandiv5

The following environment variables must be created and properly filled:

For more information about Gandi v5, see their documentation.

Google Cloud DNS

The following environment variables must be created and properly filled:

The Service account file must be encoded in base64:

base64 --wrap=0 service_account_file.json

For more information about Google Cloud DNS, see their documentation.

GoDaddy

The following environment variables must be created and properly filled:

For more information about GoDaddy, see their documentation.

OVH Cloud

The following environment variables must be created and properly filled:

For more information about OVH Cloud, see their [documentation][ovh-doc].

AWS Route 53

The following environment variables must be created and properly filled:

For more information about AWS Route 53, see their documentation.

Disabling Let’s Encrypt

Our Let’s Encrypt features can be completely disabled.

Using the Command Line

1. Make sure you have correctly setup the Scalingo command line tool
2. Issue the following command to add the domain name to your app, and specify you don’t want any of the Let’s Encrypt features:

   scalingo --app my-app domains-add --no-letsencrypt example.com
   

Using the Terraform Provider

1. Make sure the letsencrypt_enabled attribute of the corresponding scalingo_domainresource block is set to false:

   resource "scalingo_domain" "example.com" {
     common_name = "example.com"
     app = "${scalingo_app.my-app.id}"
     letsencrypt_enabled = false
   }