SSL/HTTPS
Nowadays, it’s considered good practice to serve each website or application securely via HTTPS.
By default, any website you create is configured to use Auto SSL (Let’s Encrypt) by default and the certificate is requested, issued and used automatically. In case you need to provide and use an Own Certificate, you can of course also do that.
Independend of the kind of certificate being used, all requests via HTTP will be properly redirected to HTTPS (see Advanced Configuration for details) as long as the HTTPS configuration is active (disabling it to serve your application via HTTP could pose a security risk and is not recommended).
Auto SSL (Let’s Encrypt)
We support the automatic certificate issuance by Let’s Encrypt. The certificates are automatically renewed 30 days before expiration.
Debug validation problems
In order to debug validation issues, you can use autossl-status for an easy overview.
Or take a look at the global Apache error logfile at /var/log/apache2/error.log with the Generic Admin User for a detailed information.
Its also possible to get an overview for the Managed Certificates on the Apache Status page.
Make sure that all hosts added to
Server namepoint to the correct server’s IP addresses (A and AAAA DNS records).Let’s Encrypt will try to reach your website at the endpoint
/.well-known/acme-challenge/for validation purposes. Make sure that you do not overwrite this path somehow.
Tip
With apache-reload it’s possible to force a revalidation, but be aware that Let’s Encrypt limits failed validations to 5 failures per server and hour.
Renewal
Certificates from Let’s Encrypt will be valid for 90 days. They are renewed automatically as soon as they expire in under 30 days. Furthermore, we check all certificates from our monitoring.
Export
Existing Let’s Encrypt certificates can be viewed with the Generic Admin User by running letsencrypt-show.
This is useful if you want to temporarily use the old certificate on a new server for e.g. a migration scenario.
TLS Key Type/Length
By default, the server will create two keys for each website: EC 384 bits and RSA 4096 bits. Supported clients will use the EC key, while any others will fallback to the RSA version.
Configure your desired key trough md_private_keys within the Custom JSON Website Level Configuration:
{
"md_private_keys": "rsa4096"
}
Hint
The currently supported key algorithms are available in the Let’s Encrypt integration guide.
Warning
We configure and update this value with sane defaults. Overwrite only when really required, and if you are aware of the consequences.
Own Certificate
You can add your own certificate by using the SSL cert and SSL key fields within the website’s Advanced tab.
Before installing a custom certificate, please make sure that:
your key matches your certificate
all required intermediate certificates are included
you used up-to-date settings to generate your key and signing request
Tip
Please contact us if you are not proficient with this topic. We are happy to guide you through the process and can also order and install custom certificates on your behalf.
Monitoring / Renewal
By providing your own certificate, you’re in charge of renewing the certificate in time, before it expires. The issuing Certificate Authority (CA) will most-probably send you some reminder notifications.
As a safety net, we’ll also monitor those certificate’s expiration date. In case expiration date is coming close, we will contact you and kindly remind you to replace the certificate rather quickly.
Advanced Configuration
We will make sure that all required settings do match the state of the art configuration. Usually it is not required to change those settings, nevertheless it is possible and might be required in certain use cases.
Cipher Suite
Configure your desired cipher suite trough website::ssl_ciphers within the Custom JSON Server Level Configuration:
{
"website::ssl_ciphers": "desired-cipher-suites"
}
Warning
We configure and update this value with sane defaults. Overwrite only when really required, and if you are aware of the consequences.
Diffie-Hellman parameters
Diffie-Hellman parameters are used for perfect forward secrecy. We supply default Diffie-Hellman parameters and update them on a regular schedule. If you want to use your own Diffie-Hellman parameters, you can generate them:
openssl dhparam -out /tmp/dhparam.pem 4096
and configure them trough website::ssl_dhparam within the Custom JSON Server Level Configuration:
{
"website::ssl_dhparam": "-----BEGIN DH PARAMETERS-----\nMIICCAKCAgEAoOePp+Uv2M34IA+basW9CBHp/jsZihB3FI8KVRLVFJPIUJ9Llm8F\n...\n-----END DH PARAMETERS-----"
}
HSTS Header
By default, we add a HTTP Strict Transport Security (HSTS) header to each SSL enabled website:
Strict-Transport-Security max-age=63072000 always;
You can alter or remove the supplied defaults by editing the .htaccess file.
Tip
See the OWASP HTTP Strict Transport Security Cheat Sheet for details.
Test
We recommend the following online services for testing: