SSL/HTTPS¶
Enable Auto SSL (Let’s Encrypt) or add your Own Certificate to make your website reachable over HTTPS. Nowadays, this is considered good practice and should be enabled on all websites. When SSL is enabled, access to the website by HTTP is not possible anymore but redirectet to HTTPS instead (Advanced Configuration for details).
Auto SSL (Let’s Encrypt)¶
We support the automatic certificat issuance by Let’s Encrypt. The certificates are automatically renewed 30 days before expiration.
Debug validation problems¶
In order to debug validation issues, you can use autossl-status for an easy overview. Or take a look at the global Apache error logfile at /var/log/apache2/error.log with the Generic Admin User for a detailed information.
Its also possible to get an overview for the Managed Certificates on the Apache Status page.
Make sure that all hosts added to
Server namepoint to the correct server (A and AAAA DNS records).Let’s Encrypt will try to reach your website at the endpoint
/.well-known/acme-challenge/for validation purposes. Make sure that you do not overwrite this path somehow.
Tip
With apache-reload its possible to force a revalidation, but be aware that Let’s Encrypts limits failed validations to 5 failures per server and hour.
Renewal¶
Certificates from Let’s Encrypt will be valid for 90 days. They are renewed automatically as soon as they expire in under 30 days. Furthermore, we check all certificates from our monitoring and will contact you if there are certificates expiring in less than 21 days.
Export¶
Existing Let’s Encrypt certificates can be viewed with the Generic Admin User by running letsencrypt-show.
This is useful if you want to temporarily use the old certificate on a new server.
Own Certificate¶
You can add your own certificate by using the SSL cert and SSL key fields within the desired websites Advanced tab.
Before installing a custom certificate, please make sure that:
your key matches your certificate
all required intermediate certificates are included
you used up-to-date settings to generate your key and signing request
Tip
Please contact us if you are not proficient with this topic. We are happy to guide you through the process and can also order and install custom certificates on your behalf.
Advanced Configuration¶
We will make sure that all required settings do match the state of the art configuration. Usually it is not required to change those settings, nevertheless it is possible and might be required in certain use cases.
Cipher Suite¶
Configure your desired cipher suite trough website::ssl_ciphers
within the Custom JSON Server Level Configuration:
{
"website::ssl_ciphers": "desired-cipher-suites"
}
Warning
We configure and update this value with sane defaults. Overwrite only when really required, and if you are aware of the consequences.
Diffie-Hellman parameters¶
Diffie-Hellman parameters are used for perfect forward secrecy. We supply default Diffie-Hellman parameters and update them on a regular schedule. If you want to use your own Diffie-Hellman parameters, you can generate them:
openssl dhparam -out /tmp/dhparam.pem 4096
and configure them trough website::ssl_dhparam
within the Custom JSON Server Level Configuration:
{
"website::ssl_dhparam": "-----BEGIN DH PARAMETERS-----\nMIICCAKCAgEAoOePp+Uv2M34IA+basW9CBHp/jsZihB3FI8KVRLVFJPIUJ9Llm8F\n...\n-----END DH PARAMETERS-----"
}
HSTS Header¶
By default, we add a HTTP Strict Transport Security (HSTS) header to each SSL enabled website:
Strict-Transport-Security max-age=63072000 always;
You can alter or remove the supplied defaults by editing the .htaccess file.
Tip
See the OWASP HTTP Strict Transport Security Cheat Sheet for details.
Test¶
We recommend the following online services for testing: