Skip to main content

Configure DNS and Provision HTTPS

Configure your DNS records and provision HTTPS.


This section provides information on how to configure DNS and provision free, automated HTTPS on Pantheon.

Info:
Note

If your site is already live and serving HTTPS traffic, and will require HTTPS on Pantheon, return to Connect a Domain Name and complete the steps to pre-provision HTTPS before updating DNS to avoid downtime.

Test Locally Before Updating DNS (Optional)

You can validate that HTTPS configuration for the domain is ready on Pantheon by testing locally before you update your DNS.

  1. Access the Live environment in your Pantheon Site Dashboard.

  2. Navigate to the Domains / HTTPS page.

  3. Select Details next to the bare domain.

  4. Copy the A record value provided in the Pantheon Site Dashboard.

  5. Add a line to your local hosts file with the IP address from the previous step followed by the domain name, for example:

      `192.123.456.789 example.com`

    This will tell your computer to look for example.com at the new Pantheon address.

  6. Make sure your site works with HTTPS by entering your domain with HTTPS in the browser (for example, https://www.example.com/).

  7. Remove the edits made to your hosts file when you finish testing.

Configure DNS

The instructions in this section cover the common example.com and www.example.com domain configuration. Refer to Platform and Custom Domains for other domain configurations.

The icon within the Domains / HTTPS page indicates that the domain has not been correctly routed to Pantheon. Complete the steps below before you provision your HTTPS. The addition of a Custom Domain now requires Domain Validation via a TXT record, please follow the steps outlined here before proceeding with the outlined steps below:

  1. Access the Live environment in your Pantheon Site Dashboard.
  2. Navigate to the Domains / HTTPS page.
  3. Select Details next to the www domain.
  4. Log in to the DNS host for the domain in a separate window.
  5. Copy the value provided in the Pantheon Site Dashboard for the required A record, then use it to create an A record wherever you manage DNS. Repeat this step for both of the AAAA records.
  6. Return to the Domains / HTTPS page in the Pantheon Site Dashboard.
  7. Click Details next to the bare domain.
  8. Copy the value provided in the Pantheon Site Dashboard for the required A record, then use it to create an A record wherever you manage DNS. Repeat this step for both of the AAAA records.
    • Note that if the Platform detects a CNAME record, the Status will show Remove this detected record on the line with the CNAME. Remove the CNAME from the DNS management service to avoid potential issues or interruptions.

Click below for more detailed instructions for your specific DNS host.

DNS Host-Specific Instructions

You can run diagnostics at Let's Debug if you are having difficulties issuing a Let's Encrypt certificate. This tool can identify an array of issues specifically for Let's Encrypt certificates, including problems with DNS, nameservers, networking issues, common website misconfigurations, and CA policy issues.

Click here to learn more about DNS settings.

Provision HTTPS

The process to provision certificates kicks off automatically after domain ownership has been verified, and is indicated by the following notice:

HTTPS is provisioning

Both the bare domain and the www domain will be accessible over HTTPS after the HTTPS status turns green (which may take up to an hour):

HTTPS is provisioned

Requirements for Automated Certificate Renewal

  • All A, AAAA, CNAME, DNAME DNS records for any Pantheon-hosted domains (example.com) and/or subdomains (www.example.com or blog.example.com) must point to Pantheon's servers so Let's Encrypt can verify domain ownership.
  • AAAA records are not required, but if set must exclusively point to Pantheon.
  • Authoritative Name Servers must serve mixed-case lookups, and must not fail CAA lookups.
  • CAA records must either not exist for the domain and its parent domains or authorize Let's Encrypt. Note that CAA records are inherited by subdomains.

More Resources