Page 1 of 1

What do I need to do to make sure free SSL/TLS support works right?

Posted: Mon Apr 24, 2017 1:27 pm
by Edge100x
The Let's Encrypt verification and activation process has these requirements.
  • The domain registration must continue to use our name servers. This means that Let's Encrypt is not compatible with CloudFlare and other proxy mechanisms that require changing a domain's name server entries.
  • The folder that a subdomain points to must exist and it must be owned by the account.
  • Access to create a '.well-known' folder inside the site's folder must be allowed, and files inside that must be allowed to be created.
  • The '.well-known' folder can't already exist. We will create it as part of the process.
  • Access to view files in the '.well-known' folder via http must be possible. For instance, a request for http://yoursubdomain.yourdomain.com/.well-known/verification-file has to be allowed to go through and load properly (note that the .well-known folder is not otherwise used, so any testing that you do will normally result a '404' error). This means that if you set up any sort of redirection, such as your own redirection for http to https, you need to make sure that there is an exception for requests to '.well-known' (our own redirect option, enabled via the Domains page, has the appropriate exception).
If any of these aren't true, the certificate setup will fail, and support for https:// on newly-added subdomains will not work.

If you have a subdomain that does not have working Let's Encrypt, you should be able to force our system to attempt to add it again by deleting that single subdomain (not the entire domain), waiting 5 minutes, and re-adding it. As long as the original condition that caused Let's Encrypt to fail has been resolved, the reattempt should succeed another 5-10 minutes after that.

Let's Encrypt certificates are only valid for 90 days. Near the end of that period, our system will attempt to automatically renew your certificate. For the renewal to succeed, the same requirements apply. If the certificate renewal fails, site users will start to see an error in their browsers telling them that the certificate is invalid because it has expired or been revoked.

Traditional full SSL (non-Let's-Encrypt) certificates are handled manually and these requirements do not apply to them. Traditional certificates can be used by Pro plan users and are valid for between one and three years.