Enable SSL for Secure HTTPS Communication

Edit on GitHub

SSL is a standard for establishing an encrypted link between your Pantheon site and a client (e.g. web browser). You should enable SSL on a custom domain, e.g., www.example.com, if you are transmitting any sensitive data. Loading a valid OpenSSL certificate into a Pantheon environment provisions an SSL load balancer with a dedicated IP address, allowing secure communication over HTTPS. All traffic within the Pantheon infrastructure, from Varnish to application containers, is encrypted.

Steps to Enable SSL

  1. Generate Key and CSR
  2. Get SSL certificate
  3. Load certificate into Pantheon environment
  4. Test SSL (optional, but recommended)
  5. Update DNS
  6. Require SSL for all pages (optional, but recommended)

Generate Key and CSR

Run openssl from the command line to generate a RSA Private Key (.key file) and Certificate Signing Request (.csr file):

openssl req -new -newkey rsa:2048 -nodes -out www_example_com.csr
-keyout www_example_com.key

You'll be prompted interactively to enter information needed to request your certificate. The most important part of this information is the Common Name, which is the domain.

You can also use a tool like the OpenSSL CSR Wizard to generate an openssl command that you can paste into the command line, so you won't be prompted for that information interactively.

The output of openssl should be two files:

www_example_com.csr
www_example_com.key

Get SSL Certificate

Give the CSR to your SSL provider and they will supply you with one or more certificate (.crt or .pem) files. The CSR is not used after you get your certificates.

If the SSL provider asks you to select a web host server type, look for an option that supports OpenSSL, such as Apache with mod_SSL support.

SSL Certificate Types

Multiple Domains with Subject Alternative Names (SANs)

A Subject Alternative Name is a public key certificate that is permitted to identify more than one entity or device. SANs may be the right choice if you need to manage multiple domains with a single certificate. For more information, see SAN Certificates

Wildcard

You can upload the same wildcard SSL certificate for multiple sites that share a domain, and add the correct subdomain to each site's domain tab in the Live environment.

Intermediary Certificates

Your SSL provider may give you an intermediary certificate, which is used establish a chain of trust. If you get more than one intermediary certificate file, you'll need to combine them into one. Your provider may also send you a "certificate authority" or "CA" cert. If you have problems with your intermediate certificate, try https://whatsmychaincert.com/, which tests if the correct certificate chain is being served, and tells you which chain you should be serving.

SSL Providers

We don't specifically recommend one, but here are a few of many SSL providers:

Load Certificate into Pantheon

  1. From your Site Dashboard, select Dev, Test, or Live (most commonly Live).
  2. Select Domains.
  3. Select SSL.
  4. Paste in the requested information and press Add Cert. Site dashboard add SSL certificate step 2

After submitting your certificates, you'll see:

"HTTPS/SSL is enabled for the Live environment with loadbalancer IP: X.X.X.X" under the SSL tab. The Domains tab will be updated with new DNS recommendations.

DNS

There are two options for configuring your DNS when you are using SSL. The platform has support for IPv4 (A records) and IPv6 (AAAA record).

We recommend using an IPv4 address, unless you are familiar with and understand IPv6.

Test SSL

Before you point your DNS to the custom IP address you received after enabling SSL, you may verify that the certificate is correct.

Chrome

Testing SSL is Chrome is similar for other browsers as well.

  1. Point Chrome to the custom IP address you received after enabling SSL: https://x.x.x.x
  2. Click the padlock in the address bar.
  3. Click Certificate Information.
    Image showing to click padlock and Certificate Information
  4. Verify certificate details match the domain(s) you'll point to the site. Certificate information

cURL

Test SSL with cURL by issuing the following command:

$ curl -Ikv https://x.x.x.x --header "Host: mywebsite.com"

The -k option tells cURL to ignore untrusted certificates, but if you pay close attention to the output you'll see that your certificate is being served:

...
* Connected to live-sitename.pantheon.io (x.x.x.x) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: www.yourdomain.com
...

Require SSL for All Pages

It's a best-practice to put all traffic on your site under HTTPS, which you can accomplish by adding a short PHP snippet to settings.php or wp-config.php. See Pantheon documentation: Redirecting Incoming Requests: Redirecting to HTTPS.

Frequently Asked Questions

What should I do with a GoDaddy gd_bundle.crt?

Use it as the Intermediary Certificate.

Which order do I use for a basic Network Solutions SSL pack?

MYSITE_COM.crt-------------------Cert
UTNAddTrustServer_CA----------Intermediate
mysite_com.key---------------------Private Key

Which Comodo SSL pack should I use?

Visit Comodo's support site to read about SSL packs.

How do I fix a chain file signing key mismatch?

If you see 400: Error the cert at line 1 of the chain file does not sign the main cert, Signing key mismatch it indicates that some part of the chain is out of order. Check that you have the main and intermediary in the right places, and if you have multiple intermediaries check that they're in the right order. Also see https://whatsmychaincert.com/.

What if I receive SSL chain errors on a mobile device?

If you receive SSL chain errors, on a mobile device for example, make sure that the certificate has a certificate authority that supports your use case.

Using an SSL checker (http://www.sslshopper.com/ssl-checker.html) will perform a number of tests, such as the validity of the certificate, expiration date, certificate authority, and validity of the SSL chain. If the certificate is valid, all the responses should be green with no breaks in the SSL chain.

If the SSL chain is broken or you experience issues with mobile versions of the site, we recommend getting an SSL certificate from a different provider or attempting to correct the chain with https://whatsmychaincert.com/.

What about mixed mode? (HTTP and HTTPS for different pages)

If you are transmitting any sensitive data we recommend redirecting all traffic to HTTPS, rather than using mixed mode.