• Overview
    Key features
    • Observability
    • Auto-scaling
    • Multiframework
    • Security
    • Django
    • Next.js
    • Drupal
    • WordPress
    • Symfony
    • Magento
    • See all frameworks
    • PHP
    • Python
    • Node.js
    • Ruby
    • Java
    • Go
  • Industries
    • Consumer Goods
    • Media/Entertainment
    • Higher Education
    • Government
    • Ecommerce
  • Pricing
  • Featured articles
    • Switching to Platform.sh can help IT/DevOps organizations drive 219% ROI
    • Organizations, the ultimate way to manage your users and projects
  • Support
  • Docs
  • Login
  • Request a demo
  • Free Trial
Meet Upsun. The new, self-service, fully managed PaaS, powered by Platform.sh.Try it now
Cover image

HTTPS and TLS certificates: Always served fresh

09 February, 2021
Larry Garfield
Larry Garfield
Director of Developer Experience

Never face an expired certificate again.

Platform.sh has offered Transport Layer Security (TLS) certificates for HTTPS connections automatically since early 2017, courtesy of Let's Encrypt. In the modern age, all websites should be encrypted end to end. The one caveat, though, has been that certificate renewal only happened on deployment. For an actively maintained site getting regular updates, that's fine. But for fire-and-forget sites that are only updated very rarely, renewal upon deployment can lead to expired certificates, which are decidedly less good for security. Less good is not good, though, so we decided to fix that.

We're happy to announce that we've enabled auto-renewal on all Let's Encrypt TLS certificates (formerly known as SSL certificates and now represented by this acronym). This change is rolling out now in stages and should be complete within the next month or so.

Redeploy all the sites

The way it works is only a small extension of how renewals work now. Let's Encrypt certificates are valid for three months. One month before a certificate is due to expire, we have a background process that contacts Let's Encrypt and asks for a renewed certificate. If for whatever reason that process hiccups (due to rate limits, sunspots, or other issues), it will automatically retry until it gets a new certificate.

That new certificate isn't active yet, however. New certificates only take effect on the next redeploy. When a new certificate is available, therefore, we now automatically trigger a redeploy. Because the only change in the deploy is "swap in the new certificate," the process is fast, taking only seconds. No other code or configuration changes.

Custom certificates

If you're using a custom TLS certificate, we cover those, too. Seven days before a custom certificate is set to expire, we’ll issue a Let's Encrypt certificate and swap that in instead. If you want to keep using the custom certificate, upload a renewed certificate more than a week before it expires and we'll leave it alone.

Out with the old

We previously recommended that customers set up a cron task to redeploy their site every two weeks in order to ensure any waiting new certificates were installed. Since we’re now doing that automatically, that cron task is no longer necessary. If you have that cron task running, we recommend you drop it. It won't hurt anything if it's still there, but it's no longer necessary.

The long and short of it is that expired certificates on Platform.sh should be a thing of the past.

Get the latest Platform.sh news and resources

Related Content

Cover image

Keep your production moving with parallel activities

AboutSecurity and complianceTrust CenterCareersPressContact us
Thank you for subscribing!
Field required
Leader Winter 2023
System StatusPrivacyTerms of ServiceImpressumWCAG ComplianceAcceptable Use PolicyManage your cookie preferencesReport a security issue
© 2024 Platform.sh. All rights reserved.
Supported by Horizon 2020's SME Instrument - European Commission 🇪🇺