Configure DNS and Provision HTTPS

In this lesson we'll configure DNS and provision free, automated HTTPS on Pantheon.

These instructions cover the common and domain configuration. For other domain configurations, see Platform and Custom Domains.

Configure DNS

The icon within the Domains / HTTPS page indicates that the domain has not been properly routed to Pantheon. The following actions are required:

  1. Access the Live environment in your Pantheon Site Dashboard.
  2. Navigate to the Domains / HTTPS page.
  3. Select Details next to the www domain.
  4. In a separate window, log in to the DNS host for the domain.
  5. Copy the value provided in the Pantheon Site Dashboard for the required CNAME record (e.g.,, then use it to create a CNAME record wherever you manage DNS.
  6. Return to the Domains / HTTPS page in the Pantheon Site Dashboard.
  7. Click Details next to the bare domain.
  8. Copy the value provided in the Pantheon Site Dashboard for the required A record, then use it to create an A record wherever you manage DNS. Repeat this step for both of the AAAA records.

For more detailed instructions pertaining to your specific DNS host, click below:

Provision HTTPS

The process to provision certificates kicks off automatically after the domain has been successfully routed to Pantheon, indicated by the following notice:


Your DNS configuration is correct, and certificate provisioning is queued to start for this domain.
Both the bare domain and the www domain will be accessible over HTTPS once the HTTPS status turns green (which may take up to an hour):


Let’s Encrypt certificate deployed to Pantheon’s Global CDN. Certificate renews automatically with no additional cost.

Requirements for Automated Certificate Renewal

  • All A/AAAA/CNAME/DNAME DNS records for any Pantheon-hosted domains ( and/or subdomains ( or must point to Pantheon's servers so Let's Encrypt can verify domain ownership.
  • AAAA records are not required, but if set must exclusively point to Pantheon.
  • Authoritative Name Servers must serve mixed-case lookups, and must not fail CAA lookups.
  • CAA records must either 1) not exist for the domain and its parent domains or 2) authorize Let's Encrypt. Note that CAA records are inherited by subdomains.