When an Endpoint requires a Certificate to perform SSL / TLS termination on your behalf, you can opt to let Aptible Deploy provision and renew certificates on your behalf (alternatively, you can provide your own with a Custom Certificate).
To do so, simply enable Managed HTTPS when creating your Endpoint. You'll need to provide Aptible Deploy with the Custom Domain name you intend to use so Aptible Deploy knows what certificate to provision.
Managed HTTPS uses Let's Encrypt under the hood. There are two mechanisms Aptible Deploy can use to authorize your domain with Let's Encrypt and provision certificates your behalf:
For either of these to work, you'll need to create some CNAMEs in the DNS provider you use for your Custom Domain. The CNAMEs you need to create are listed in the Dashboard.
Wildcard domains are not supported either.
HTTP verification relies on Let's Encrypt sending a HTTP request to your app and receiving a specific response (presenting that response is handled by Aptible Deploy).
Unlike http-01 verification, dns-01 verification works with all Endpoints.
DNS verification relies on Let's Encrypt checking for the existence of a DNS TXT record with specific contents under your domain.
For this to work, you must have created a CNAME from
$DOMAIN is your Custom Domain) to an Aptible Deploy-provided validation name. This name is provided in the Dashboard (it's the
acme subdomain of the Endpoint Hostname).
If you are using a wildcard domain, then
$DOMAINabove should be your domain name, but without the leading
Managed TLS supports wildcard domains, which you'll have to verify using dns-01.
When using a wildcard domain, Aptible Deploy automatically creates a SAN certificate for the wildcard and its apex. In other words, if you use
*.$DOMAIN, then your certificate will be valid for any subdomain of
$DOMAIN, as well as for
Let's Encrypt enforces a number of rate limits on certificate generation. In particular, Let's Encrypt limits the number of certificates you can provision per domain every week for a particular domain:
The main limit is **Certificates per Registered Domain**, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name `www.example.com`, the registered domain is `example.com`. In `new.blog.example.co.uk`, the registered domain is `example.co.uk`. We use the [Public Suffix List](https://publicsuffix.org) to calculate the registered domain.
When you enable Managed TLS on an Endpoint, Aptible Deploy will provision an individual certificate for this Endpoint. If you create an Endpoint, provision a certificate for it via Managed TLS, then deprovision the Endpoint, this certificate will count against your weekly Let's Encrypt weekly rate limit.
Updated 7 months ago