Let's Encrypt Certificates

HTTPS is an important security feature, helping to protect the traffic between an end user and the web servers from man-in-the-middle attacks.

Apart from the security benefits, Google announced non-secured (HTTP) requests will be shown as not secure from July 2018(external link) with the release of Chrome 68 as well as introducing HTTPS as a ranking signal(external link).

CWP now utilises Let's Encrypt(external link) to automate the creation of certificates to enable HTTPS (SSL/TLS) for websites. If you have existing CWP stacks you wish to migrate to Let's Encrypt, please log a ticket through the CWP Service Desk.

Considerations

CWP utilises a DNS query in order to prove trust. As long as the DNS record(s) exists, our systems will be able to continue to renew certificates. Removing any of the DNS _acme_challenge CNAME records will remove a hostname from a Let’s Encrypt certificate.

With the CWP implementation of Let's Encrypt certificates, the following limitations exist:

  • Unable to use wildcard certificates
  • 20 certificates per week per registered domain (please be aware of this if you are already utilising Let's Encrypt with any of your domains)
  • 100 names (hostnames) per certificate
  • Currently unavailable with premium WAF accounts
  • CWP generated Let's Encrypt certificates can't be exported for external use
  • Only one certificate (Let’s Encrypt or otherwise) can be applied per environment

How can I use it?

Raise a service desk request to tell us which domains you would like covered by the let’s encrypt certificate.

Once we've configured the domains in our systems, we'll provide you with the required DNS change (and status) on your stack CWP stack page.

When CWP systems detect the DNS changes, our automation systems will go through the required process and register and configure required services so that the certificate is used.

Configuring DNS CNAME(s)

Your CWP stack page will display the configuration required to set up the Let's Encrypt certificate for a stack.

Let's Encrypt required domain config

  • Each domain to configure is shown above the required DNS records.
  • For each domain, all required DNS record names are listed.
  • For each DNS record, the corresponding CNAME value is provided.
  • The current verification status is shown. Records with the correct configuration have a green tick with a red cross representing records which are not ready. Note that this status may take some time to be updated after DNS records have changed.

To have a certificate cover all the listed hosts, each DNS CNAME record needs to be set up. It is recommended that TTL of 60 seconds is used where possible, otherwise 300 seconds max.

If you are uncertain about setting up the required DNS records, the information on the stack page should be provided to the appropriate technical contact. For example:

    To whom it may concern,

    Please configure the following DNS records with a TTL of 60 seconds
    
    Domain: another-example.com
    _acme-challenge       CNAME   19ff0875b2.letsencrypt.silverstripe.com.
    _acme-challenge.www   CNAME   94cc5f11c6.letsencrypt.silverstripe.com.
    
    Domain: example.com
    _acme-challenge       CNAME   2531cfda74.letsencrypt.silverstripe.com.
    _acme-challenge.dev   CNAME   887a4d0bb5.letsencrypt.silverstripe.com.
    _acme-challenge.www   CNAME   27ac60d14b.letsencrypt.silverstripe.com.
    
    Kind regards

Custom certificates

Click here if you would prefer to use a custom SSL certificate.

Last modified: