We have been issuing and automatically installing Let's Encrypt® certificates for a while now. The only manual thing was the trigger of this process. But today, we are glad to announce fully automated Let's Encrypt certificates for everyone!
When you add a domain — which targets Clever Cloud — to an application; it will have its own certificate a few minutes later (up to 12 minutes later).
This has been live since 2018-11-16. Hundreds of certificates have been issued since then. This has been possible thanks to Let's Encrypt, who also extended their rate limiting on their API.
How do we do this?
As explained in the previous blog post, queries to the path used by Let's Encrypt to check the ownership of the domain are routed to our Let's Encrypt integration service. This allows us to process the Let's Encrypt queries, get the certificate and give it to our certificates manager.
Here is what's new. Once a user adds a new domain, we periodically check that we can reach our Let's Encrypt integration service. When we do, we start the usual process et voilà.
What if I want another kind of certificate?
That's not a problem:
If you already have a certificate, we will not create a Let's Encrypt certificate.
How about existing domains?
Existing domains which do not yet have a certificate will all get a Let's Encrypt certificate.
This will be done over the next weeks to come. We can't do this in a single batch for two reasons:
- Let's Encrypt rate limiting (we have extended limits but we still cannot send such a big batch all at once)
- We need to spread this out so that we don't have a big batch of renewals every 3 months
If you don't want to wait, you can simply ask us to enable it.
Next steps
There are a few things yet to come:
- Interface in the console to track the status of the certificates
- Support of wildcard certificates (which will not be quite as automatic because it requires DNS validation; this will require an action from you at first)
One last thing
We are now proud sponsors of Let's Encrypt!