HTTPS is an important security feature, helping to protect the traffic between an end user and the web servers from man-in-the-middle attacks.
Apart from the security benefits, Google announced non-secured (HTTP) requests will be shown as not secure from July 2018(external link) with the release of Chrome 68 as well as introducing HTTPS as a ranking signal(external link).
CWP now utilises Let's Encrypt(external link) to automate the creation of certificates to enable HTTPS (SSL/TLS) for websites. If you have existing CWP stacks you wish to migrate to Let's Encrypt, please log a ticket through the CWP Service Desk.
Requests to authenticated areas will automatically redirect to the https:// protocol (e.g. login and CMS access). Due to this default, every CWP stack requires valid SSL certificates on all configured domains (details). As of CWP 2.4 (Sept 2019), new CWP projects will automatically redirect all requests to the https:// protocol, and set HTTP Strict Transport Security headers.
CWP utilises a DNS query in order to prove trust. As long as the DNS record(s) exists, our systems will be able to continue to renew certificates. Removing any of the DNS _acme_challenge CNAME records will remove a hostname from a Let’s Encrypt certificate.
With the CWP implementation of Let's Encrypt certificates, the following limitations exist:
Raise a service desk request to tell us which domains you would like covered by the let’s encrypt certificate.
Once we've configured the domains in our systems, we'll provide you with the required DNS change (and status) on your stack CWP stack page.
When CWP systems detect the DNS changes, our automation systems will go through the required process and register and configure required services so that the certificate is used.
Your CWP stack page will display the configuration required to set up the Let's Encrypt certificate for a stack.
To have a certificate cover all the listed hosts, each DNS CNAME record needs to be set up. It is recommended that TTL of 60 seconds is used where possible, otherwise 300 seconds max.
If you are uncertain about setting up the required DNS records, the information on the stack page should be provided to the appropriate technical contact. For example:
To whom it may concern, Please configure the following DNS records with a TTL of 60 seconds Domain: another-example.com _acme-challenge CNAME 19ff0875b2.letsencrypt.silverstripe.com. _acme-challenge.www CNAME 94cc5f11c6.letsencrypt.silverstripe.com. Domain: example.com _acme-challenge CNAME 2531cfda74.letsencrypt.silverstripe.com. _acme-challenge.dev CNAME 887a4d0bb5.letsencrypt.silverstripe.com. _acme-challenge.www CNAME 27ac60d14b.letsencrypt.silverstripe.com. Kind regards
Click here if you would prefer to use a custom SSL certificate.