Installing TLS Certificates

TLS certificates (updated, more secure, version of SSL) are necessary to enable secure HTTPS connections between a browser and your application. These certificates can be bought online, or generated by Clever Cloud. In that case, we manage the whole process for you.

There is two ways to get HTTPS for your apps:

Let’s Encrypt: Provided by default by Clever Cloud. Free. Nothing to configure.
Your own certificates: If you already have a certificate, you can upload it securely.

Using the provided Let’s Encrypt certificate

We automatically generate certificates when you add a domain name to your app. It’s all you have to do, our internal certificate generator will create a TLS certificate for a domain or a sub-domain.

We do not support wildcard Let’s Encrypt certificates at the moment. If you need a wildcard certificate, you can either generate a Let’s Encrypt certificate yourself or buy one (we can resell one to you, in which case we will deal with the csr generation ourselves, contact the support to know more).

Cloudflare

If you use Cloudflare to manage your domain, the certificate generation could fail depending on your SSL/TLS settings, you will encounter 502 HTTP errors if Cloudflare expects SSL/TLS strict mode and automatically redirects to HTTPS.

To prevent this from happening you can create a page rule to bypass this policy as Let’s Encrypt needs to access the route /.well-known/acme-challenge* via HTTP to generate the certificate:

Define a page rule such as this one:
Create a bypass page rule
We also recommend to disable the cache level.
Turn off HTTP to HTTPS redirection on Cloudflare:
Turn off automatic HTTPS redirection
You can enable Force HTTPS in the information tab of your Clever Cloud application instead.

Debugging Let’s Encrypt communication:

If Let’s Encrypt fails to generate the certificate, you can test that the acme-challenge url works by running:

$ curl http://<your-domain>/.well-known/acme-challenge/test
test

It should return a HTTP 200 OK with the string "test" as the body. If it does not, check your Cloudflare configuration.

Uploading my own certificates

You can upload certificates yourself: https://api.clever-cloud.com/v2/certificates/new

You need to paste a PEM bundle containing (in this order):

the private key
the certificate itself
intermediate certificates

You should create a file.pemcontaining:

-----BEGIN RSA PRIVATE KEY-----
 <the private key>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<the certificate>
-----END CERTIFICATE-----

You can add optionnal intermediate certificates by appending them to the file as

-----BEGIN CERTIFICATE-----
<the certificate>
-----END CERTIFICATE-----

You should note that .pem files use the unix way of terminating lines with a single line feed character. Make sure your text editor does the same.

Transmitting your files manually (not recommended)

If you need manual operations on the certificates, the most secure way to transfer your certificates is using a signed and encrypted email. Our dedicated email for receiving certificates is ssl@clever-cloud.com.

Security

Do not send any of these files via an unsecure way. The integrity of your certificate may not be guaranteed.

Clever Cloud on Keybase

If your are a Keybase.io user, you can find us at keybase.io/clevercloud.

Clever Cloud’s Public Key (for GPG users)

fingerprint: 03943517934C1FA5ED4E2F61218B86BD5278460F
64-bit: 218B86BD5278460F

Encryption at rest Logs management

Fork this page

On this page