SSL certificates

Let's Encrypt Certificates

HTTPS is an important security feature, helping to protect the traffic between an end-user and the web servers from man-in-the-middle attacks.

Apart from the security benefits, Google announced non-secured (HTTP) requests will be shown as not secure from July 2018 with the release of Chrome 68 as well as introducing HTTPS as a ranking signal

Silverstripe Cloud utilises Let's Encrypt to automate the creation of certificates to enable HTTPS (SSL/TLS) for websites. If you have existing stacks you wish to migrate to Let's Encrypt, please log a ticket through the Service Desk.

Automatic SSL Redirects for Cloud on CCL/Revera

Requests to authenticated areas will automatically redirect to the https:// protocol (e.g. login and CMS access). Due to this default, every stack requires valid SSL certificates on all configured domains. As of Sept 2019, new projects will automatically redirect all requests to the https:// protocol, and set HTTP Strict Transport Security headers.

Considerations

Silverstripe Cloud utilises a DNS query in order to prove trust. As long as the DNS record(s) exists, our systems will be able to continue to renew certificates. Removing any of the DNS _acme_challenge CNAME records will remove a hostname from a Let’s Encrypt certificate.

With the implementation of Let's Encrypt certificates, the following limitations exist:

  • Unable to use wildcard certificates
  • 20 certificates per week per registered domain (please be aware of this if you are already utilising Let's Encrypt with any of your domains)
  • 100 names (hostnames) per certificate
  • Generated Let's Encrypt certificates can't be exported for external use
  • Only one certificate (Let’s Encrypt or otherwise) can be applied per environment

How can I use it?

Raise a service desk request to tell us which domains you would like covered by the Let’s Encrypt certificate.

Once we've configured the domains in our systems, we'll provide you with the required DNS change (and status) on your stack configuration page.

When Silverstripe Cloud systems detect the DNS changes, our automation systems will go through the required process and register and configure required services so that the certificate is used.

Configuring DNS CNAME(s)

The Configuration tab for your environment will display the configuration required to set up the Let's Encrypt certificate for a stack.

Each domain to configure is shown above the required DNS records.

  • For each domain, all required DNS record names are listed.
  • For each DNS record, the corresponding CNAME value is provided.
  • The current verification status is shown. Records with the correct configuration show the "Verified" status, while records that have not been added show "Not Verified". Note that this status may take some time to be updated after DNS records have changed.
  • To have a certificate cover all the listed hosts, each DNS CNAME record needs to be set up. It is recommended that TTL of 60 seconds is used where possible, otherwise 300 seconds max.

If you are uncertain about setting up the required DNS records, the DNS record information should be provided to the appropriate technical contact. For example:

To whom it may concern,

Please configure the following DNS records with a TTL of 60 seconds
Domain: another-example.com _acme-challenge CNAME 19ff0875b2.letsencrypt.silverstripe.com. _acme-challenge.www CNAME 94cc5f11c6.letsencrypt.silverstripe.com. Domain: example.com _acme-challenge       CNAME   2531cfda74.letsencrypt.silverstripe.com. _acme-challenge.dev   CNAME   887a4d0bb5.letsencrypt.silverstripe.com. _acme-challenge.www   CNAME   27ac60d14b.letsencrypt.silverstripe.com.

Kind regards

Custom certificates

If you would like to provide SSL support to your site (custom certificate), here's how you do it:

Obtain a certificate for your domain. You can either use your existing certificate or purchase a new certificate. If you are purchasing a new certificate, make sure it is SHA-2. Please note that currently we support only 2048 bit RSA key.

Attach your password-protected certificate, in a general support request. We will ask for the password via another method, e.g. SMS.

We will install the certificate for your stack.

Note: generally we can only support one domain name with SSL per instance. If you would like a different configuration, please contact us and we will discuss your options.

Support for SSL certificates with additional hostnames and SubSites:

Each Incapsula site will only allow one SSL certificate, as such please ensure the certificate you purchase covers all necessary domains, this could be with a wildcard or SAN certificate.

If you wish to have multiple SSL certificates work within the same stack, you will require an Incapsula Premium account.

Was this answer helpful? Yes No

Sorry we couldn't be helpful. Help us improve this article with your feedback.