HTTPS and TLS certificates: Always served fresh

Larry Garfield
Larry Garfield
Director of Developer Experience
09 Feb 2021

Never face an expired certificate again.

Platform.sh has offered Transport Layer Security (TLS) certificates for HTTPS connections automatically since early 2017, courtesy of Let’s Encrypt. In the modern age, all websites should be encrypted end to end. The one caveat, though, has been that certificate renewal only happened on deployment. For an actively maintained site getting regular updates, that’s fine. But for fire-and-forget sites that are only updated very rarely, renewal upon deployment can lead to expired certificates, which are decidedly less good for security. Less good is not good, though, so we decided to fix that.

We’re happy to announce that we’ve enabled auto-renewal on all Let’s Encrypt TLS certificates (formerly known as SSL certificates and now represented by this acronym). This change is rolling out now in stages and should be complete within the next month or so.

Redeploy all the sites

The way it works is only a small extension of how renewals work now. Let’s Encrypt certificates are valid for three months. One month before a certificate is due to expire, we have a background process that contacts Let’s Encrypt and asks for a renewed certificate. If for whatever reason that process hiccups (due to rate limits, sunspots, or other issues), it will automatically retry until it gets a new certificate.

That new certificate isn’t active yet, however. New certificates only take effect on the next redeploy. When a new certificate is available, therefore, we now automatically trigger a redeploy. Because the only change in the deploy is “swap in the new certificate,” the process is fast, taking only seconds. No other code or configuration changes.

Custom certificates

If you’re using a custom TLS certificate, we cover those, too. Seven days before a custom certificate is set to expire, we’ll issue a Let’s Encrypt certificate and swap that in instead. If you want to keep using the custom certificate, upload a renewed certificate more than a week before it expires and we’ll leave it alone.

Out with the old

We previously recommended that customers set up a cron task to redeploy their site every two weeks in order to ensure any waiting new certificates were installed. Since we’re now doing that automatically, that cron task is no longer necessary. If you have that cron task running, we recommend you drop it. It won’t hurt anything if it’s still there, but it’s no longer necessary.

The long and short of it is that expired certificates on Platform.sh should be a thing of the past.