Configure DNS and Provision HTTPS
Learn the specifics of Pantheon's Free and Automated HTTPS, powered by Let's Encrypt.
Pantheon's Global CDN provides free, automated HTTPS for every site launched on the platform. Your HTTPS certificates are fully managed using Let's Encrypt.
The icon within the Domains / HTTPS page indicates that the domain has not been correctly routed to Pantheon. Complete the steps below before you provision your HTTPS. The addition of a Custom Domain now requires Domain Validation via a TXT record, please follow the steps outlined here before proceeding with the outlined steps below:
- Access the Live environment in your Pantheon Site Dashboard.
- Navigate to the Domains / HTTPS page.
- Select Details next to the
www
domain. - Log in to the DNS host for the domain in a separate window.
- Copy the value provided in the Pantheon Site Dashboard for the required A record, then use it to create an A record wherever you manage DNS. Repeat this step for both of the AAAA records.
- Return to the Domains / HTTPS page in the Pantheon Site Dashboard.
- Click Details next to the bare domain.
- Copy the value provided in the Pantheon Site Dashboard for the required A record, then use it to create an A record wherever you manage DNS. Repeat this step for both of the AAAA records.
- Note that if the Platform detects a CNAME record, the Status will show
Remove this detected record
on the line with the CNAME. Remove the CNAME from the DNS management service to avoid potential issues or interruptions.
- Note that if the Platform detects a CNAME record, the Status will show
When adding the domain to your environment, you may be presented with the option to Verify your domain to provision HTTPS. If you're using a manually managed custom certificate, skip this step by clicking Skip to updating DNS.
Click below for more detailed instructions for your specific DNS host.
DNS Host-Specific Instructions
If you are having difficulties issuing a Let's Encrypt certificate you can run diagnostics at Let's Debug. This tool can identify an array of issues specifically for Let's Encrypt certificates including problems with DNS, nameservers, networking issues, common website misconfigurations, and CA policy issues.
Provision HTTPS
The process to provision certificates kicks off automatically after domain ownership has been verified, and is indicated by the following notice:
Both the bare domain and the www
domain will be accessible over HTTPS after the HTTPS status turns green (which may take up to an hour):
Let's Encrypt Certificates
Let's Encrypt is a free, automated, and open certificate authority that aims to make HTTPS the standard for all websites, a goal we share. Pantheon automatically provisions a Let's Encrypt certificate for your site, and always renews it automatically, for no additional cost. Let's Encrypt issued certs are valid for 90 days and we renew them 30 days before expiration.
Requirements for Automated Certificate Renewal
- All A, AAAA, CNAME, DNAME DNS records for any Pantheon-hosted domains (
example.com
) and/or subdomains (www.example.com
orblog.example.com
) must point to Pantheon's servers so Let's Encrypt can verify domain ownership. - AAAA records are not required, but if set must exclusively point to Pantheon.
- Authoritative Name Servers must serve mixed-case lookups, and must not fail CAA lookups.
- CAA records must either not exist for the domain and its parent domains or authorize Let's Encrypt. Note that CAA records are inherited by subdomains.
Technical Specifications
Global CDN with Let's Encrypt | Global CDN with a Custom Certificate | |
---|---|---|
Certificate Type | Issued by Let's Encrypt | Bring your own |
Renewal | Automatic | Self-managed (up to you) |
Inbound IP | Static (shared) | Static (shared) |
Client Support | 95.55% of Browsers Some very old browsers not supported 1 2 | 95.55% of Browsers Some very old browsers not supported 1 2 * |
SSL Labs Rating | A+ with HSTS | A+ with HSTS * |
Protocol | TLS 1.3 with SNI | TLS 1.3 with SNI |
Ciphers | No Weak 3DES cipher | No Weak 3DES cipher |
Delivery | Global CDN | Global CDN |
Encryption Endpoint | Application Container | Application Container |
* The browser compatibility and SSL Labs scores are guaranteed for Pantheon-provided Let’s Encrypt certificates. The same results are typical for a custom certificate from a mainstream CA with mainstream attributes, but not guaranteed. For custom certificates, compatibility and SSL Labs score depends on attributes of that certificate, such as number of SAN entries, CA and signing algorithm.
Glossary
HTTPS
HTTPS encrypts and decrypts requests. For more information, see this Google resource.
TLS (Transport Layer Security)
TLS (Transport Layer Security) is a protocol for secure HTTP connections. It replaces its less secure predecessor, the SSL (Secure Socket Layer) protocol, which we no longer support. Pantheon uses the term HTTPS to refer to secure HTTP connections.
Server Name Indication (SNI)
Server name indication (SNI) is the technology replacing the expensive, legacy load balancers and allows multiple secure (HTTPS) websites to be served off the same IP address, without requiring all those sites to use the same certificate.
Troubleshooting HTTPS
HTTPS Doesn't Provision with Incorrect AAAA Configurations
Pantheon cannot not begin provisioning HTTPS if the Site Dashboard detects incorrect values set on AAAA records. After you update the records using the recommended values, HTTPS will start to provision automatically. The values for AAAA records look similar, but they are distinct.
Certificate Mismatch Browser Warning
If your DNS changes propagate before certificates are fully deployed across the CDN, it's possible to see a certificate mismatch. To avoid this situation, wait a full 60 minutes from starting the upgrade to updating DNS. If you see a certificate mismatch, you can simply wait it out (up to 60 minutes), though you may also be able to see the new service in action more quickly using a different browser or incognito window.
HTTPS Doesn't Provision with Sucuri's Default Settings
By default Sucuri blocks serving the challenges needed to verify domain ownership and issue Let's Encrypt certificates. Contact Sucuri support and request they enable the "Forward Certificate Validation" setting, which allows HTTPS provisioning to complete successfully. Note you'll want to keep this setting enabled, so the certificate will always renew automatically.
Moz Pro 804 HTTPS SSL error
Moz Pro is unable to crawl sites using Server Name Indication (SNI). For information on beta access to SNI support, see Moz Pro, our web crawler, and sites that use SNI (804 HTTPS SSL) error.
403 Permission Denied (Drupal)
The text challenge to pre-provision HTTPS on Pantheon requires adding a .well-known
directory to the root of your site. However, Drupal core has a line in the .htaccess
file that disallows Apache from serving dot files and folders, which returns a 403 permission denied response. If you see this error while trying to pre-provision HTTPS on Drupal sites, use the Let's Encrypt Challenge contrib module as a workaround.
Addressing Let's Encrypt Rate Limits
Pantheon requests new certificates frequently in order to add domains to existing certificates. This can potentially expose organizations managing many domains to Let's Encrypt rate limits. While sites hosted on Pantheon are not subject to these lower limits, sites hosted off the platform may experience request failures.
If you encounter rate limits, we recommend the following approaches:
- Ask Let's Encrypt to increase your rate limit.
- Consider using another certificate service for sites that are not on Pantheon. For example, educational institutions may want to consider using the Incommon Certificate Service as a workaround.