HTTPS on Pantheon's Global CDN
Learn the specifics of Pantheon's Free and Automated HTTPS, powered by Let's Encrypt
Pantheon's new Global CDN provides free, automated HTTPS for every site launched on the platform.
Agency DevOps Training
Get the most out of Global CDN with help from the experts at Pantheon. We deliver custom workshops to help development teams master the platform and improve internal DevOps.
Configure DNS
The icon within the Domains / HTTPS page indicates that the domain has not been properly routed to Pantheon. The following actions are required:
- Access the Live environment in your Pantheon Site Dashboard.
- Navigate to the Domains / HTTPS page.
- Select Details next to the
wwwdomain. - In a separate window, log in to the DNS host for the domain.
- Copy the value provided in the Pantheon Site Dashboard for the required CNAME record (e.g.,
live-yoursite.pantheonsite.io), then use it to create a CNAME record wherever you manage DNS. - Return to the Domains / HTTPS page in the Pantheon Site Dashboard.
- Click Details next to the bare domain.
- Copy the value provided in the Pantheon Site Dashboard for the required A record, then use it to create an A record wherever you manage DNS. Repeat this step for both of the AAAA records.
For more detailed instructions pertaining to your specific DNS host, click below:
Provision HTTPS
The process to provision certificates kicks off automatically after the domain has been successfully routed to Pantheon, indicated by the following notice:
Both the bare domain and theHTTPS
Your DNS configuration is correct, and certificate provisioning is queued to start for this domain.
www domain will be accessible over HTTPS once the HTTPS status turns green (which may take up to an hour):
HTTPS
Let’s Encrypt certificate deployed to Pantheon’s Global CDN. Certificate renews automatically with no additional cost.
Let's Encrypt Certificates
Let's Encrypt is a free, automated, and open certificate authority that aims to make HTTPS the standard for all websites, a goal we share. Pantheon automatically adds your site's domains to a shared Let's Encrypt certificate, and always renews it automatically, with no additional cost. Let's Encrypt issued certs are valid for 90 days and we renew them at least 30 days before expiration.
Requirements for Automated Certificate Renewal
- All A/AAAA/CNAME/DNAME DNS records must point to Pantheon's servers so Let's Encrypt can verify domain ownership.
- AAAA records are not required, but if set must exclusively point to Pantheon.
- Authoritative Name Servers must serve mixed-case lookups, and must not fail CAA lookups.
- CAA records must either 1) not exist for the domain and its parent domains or 2) authorize Let's Encrypt.
Technical Specifications
| Legacy | Global CDN with Let's Encrypt | |
|---|---|---|
| Certificate Type | Bring your own | Shared, issued by Let's Encrypt |
| Renewal | Self-managed (up to you) | Automatic |
| Inbound IP | Static (unique) | Static (shared) |
| Client Support | 96.02% of browsers | 95.55% of Browsers Some very old browsers not supported 1 2 |
| SSL Labs Rating | A | A+ with HSTS |
| Protocol | TLS 1.1 & 1.2 | TLS 1.2 with SNI |
| Ciphers | Weak 3DES Cipher | No Weak 3DES cipher |
| Delivery | US Datacenter | Global CDN |
| Encryption Endpoint | Load Balancer | Application Container |
Frequently Asked Questions
How do I switch my site over to HTTPS from HTTP?
To avoid mixed-content browser warnings and excessive redirects, follow the process described in Switching Sites from HTTP to HTTPS.
How do I upgrade my existing Pantheon site?
Make the switch on an existing Pantheon site by updating DNS for your domains. If your site doesn't have the new combined "Domains/HTTPS" tab, open a support chat to get the upgrade enabled
What level of encryption is provided?
High grade TLS 1.2 encryption with up-to-date ciphers. For a deep analysis of the HTTPS configuration on upgraded sites see this A+ SSL Labs report for https://pantheon.io.
How can I obtain an A+ SSL Labs rating?
Upgrade your site to the Global CDN and then send the HSTS header.
Can I bring my own certificate?
No, but you shouldn't need to buy a dedicated certificate or worry about renewals. For example, wildcard certificates aren't necessary to secure communications for multiple domains, because we will automatically deploy certificates for all domains on your site. The certificates provided by Pantheon on the Global CDN provide end-to-end encryption. Even though certificates are shared, they are still secure. Concerns with shared certificates are cosmetic.
Some customers have purchased expensive certificates, often through an upsell from the certificate authority. Unfortunately, an expensive certificate does not mean increased security. If in doubt, we encourage you to test your site with SSL Labs, compare it to this A+ report, and share it with your client.
If bringing your own certificate is a hard requirement, then we recommend terminating HTTPS through a 3rd-party CDN service provider like Cloudflare, CloudFront, StackPath, etc. Configuration differs depending on provider, so please contact support to discuss your case.
Is HTTPS encryption end-to-end?
Yes! HTTPS is terminated at the CDN edge and traffic is encrypted all the way to the individual application container. This is an improvement over our legacy system that terminated all encryption at the load balancer, and a huge upgrade over setups which use a "mixed mode" strategy of terminating HTTPS at the CDN and then back-ending to the origin over unencrypted clear text communication.
Will HTTPS be available for my site throughout the upgrade process?
Yes! As long as you are following the Dashboard DNS recommendations before starting the upgrade, you will see no interruption in HTTPS service. The process to provision certificates can take up to an hour, after which you can update DNS records without HTTPS interruption.
Existing sites that are live over HTTPS which are not already hosted on Pantheon can pre-provision HTTPS to avoid interruption. If you are unable to prove ownership as described, we recommend a maintenance window.
Note
You cannot pre-provision HTTPS if:
- You cannot host the provided verification file on the current site.
- Your current server doesn't support files without extension names (like IIS with .NET)
If you do not already have HTTPS, there's no need to pre-provision.
How many custom domains are supported?
A paid plan is required to connect custom domains to your site, up to the following limits:
| Basic | Performance S | Performance M | Performance L | Performance XL | Elite | |
|---|---|---|---|---|---|---|
| Custom Domain Limit (per site) | 5 | 10 | 15 | 35 | 70 | 270 |
| Free and managed HTTPS | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Which browsers and operating systems are supported?
All modern browsers and operating systems are supported. For details, see the Handshake Simulation portion of this report.
What about Cloudflare?
Refer to Cloudflare Domain Configuration.
For how long are Let's Encrypt certificates valid and what happens when they expire?
Let's Encrypt certificates are valid for 90 days and are automatically updated on the platform before they expire.
Known Issues
HTTPS doesn't provision with incorrect AAAA configurations
Pantheon cannot not begin provisioning HTTPS if the Site Dashboard detects incorrect values set on AAAA records. Once you update the records using the recommended values, HTTPS will start to provision automatically. The values for AAAA records look similar, but they are distinct.
Certificate Mismatch Browser Warning
If your DNS changes propagate before certificates are fully deployed across the CDN, it's possible to see a certificate mismatch. To avoid this situation, wait a full 60 minutes from starting the upgrade to updating DNS. If you see a certificate mismatch, you can simply wait it out (up to 60 minutes), though you may also be able to see the new service in action more quickly using a different browser or incognito window.
HTTPS doesn't provision with Sucuri's default settings
By default Sucuri blocks serving the challenges needed to verify domain ownership and issue Let's Encrypt certificates. Contact Sucuri support and request they enable the "Forward Certificate Validation" setting, which allows HTTPS provisioning to complete successfully. Note you'll want to keep this setting enabled, so the certificate will always renew automatically.
Moz Pro 804 HTTPS SSL error
Moz Pro is unable to crawl sites using Server Name Indication (SNI). For information on beta access to SNI support, see Moz Pro, our web crawler, and sites that use SNI (804 HTTPS SSL) error.
403 Permission Denied (Drupal)
The text challenge to pre-provision HTTPS on Pantheon requires adding a .well-known directory to the root of your site. However, Drupal core has a line in the .htaccess file that disallows Apache from serving dot files and folders, which returns a 403 permission denied response. If you see this error while trying to pre-provision HTTPS on Drupal sites, use the Let's Encrypt Challenge contrib module as a workaround.
Addressing Let's Encrypt Rate Limits
Pantheon requests new certificates frequently in order to add domains to existing certificates. This can potentially expose organizations managing many domains to Let's Encrypt rate limits. While sites hosted on Pantheon are not subject to these lower limits, sites hosted off the platform may experience request failures.
If you encounter rate limits, we recommend the following approaches:
- Ask Let's Encrypt to increase your rate limit.
- Request that your apex domain (e.g.,
example.edu) be added to the public suffix list by submitting a pull request, which will cause Let's Encrypt to treat every subdomain of the main domain as independent for limit purposes. Also, browsers and malware scanners will treat the subdomains as independent. - Consider using another certificate service for sites that are not on Pantheon. For example, educational institutions may want to consider using the Incommon Certificate Service as a workaround.
CNAME Record Workaround
If your domain's DNS configuration relies on an existing MX or TXT record that intentionally disallows CNAME records, you'll need to use A and AAAA records to configure DNS for subdomains (e.g., www.example.com) instead of CNAMEs.
Note
Replace live-example.pantheonsite.io in the following URLs with the target environment's platform domain.
- Identify the required
Arecord value by querying the target environment's platform domain using a free online tool, such as https://www.whatsmydns.net/#A/live-example.pantheonsite.io. - Do the same for the required
AAAAvalues. For example, https://www.whatsmydns.net/#AAAA/live-example.pantheonsite.io. - Log in to your DNS host and create two AAAA records and one A record for the desired subdomain (e.g.,
www) using the values returned in the steps above.
Glossary
HTTPS
HTTPS encrypts and decrypts requests. For more information, see this Google resource.
TLS (Transport Layer Security)
TLS (Transport Layer Security) is a protocol for secure HTTP connections. It replaces its less secure predecessor, the SSL (Secure Socket Layer) protocol, which we no longer support. Pantheon uses the term HTTPS to refer to secure HTTP connections.
Server Name Indication (SNI)
Server name indication (SNI) is the technology replacing the expensive, legacy load balancers and allows multiple secure (HTTPS) websites to be served off the same IP address, without requiring all those sites to use the same certificate.