API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
CDN
CDN
BillingCDN resources overviewOrigin groupPurgePrefetchReports
API
Chosen image
Home/CDN/SSL certificates/

Configure Let's Encrypt certificate

If you do not have your own SSL certificate, you can activate the free Let's Encrypt certificate in your account. Let's Encrypt certificates can only be issued for resources with a custom domain name.

Attach a Let's Encrypt certificate

During resource creation

On the Set up initial configuration step, navigate to the SSL section, and turn on the toggle for Enable HTTPS. Then, select Get free Let's Encrypt certificate.

During resource creation

The certificate issuance may take up to 30 minutes after the resource is created. During this time, please do not:

  • disable the HTTPS option,
  • select another certificate,
  • interrupt the issuance of the current certificate.

For created resource

1. Go to CDN and select the CDN resource you want to configure.

CDN resource

2. In the navigation panel, under the General section, click SSL.

General section

3. In the SSL section, turn on the toggle for Enable HTTPS, select Get free Let's Encrypt certificate, and click on Save changes.

SSL section

Issuance with the DNS-01 challenge

We use the HTTP-01 challenge by default to validate your ownership of the domain to which you want to issue the Let’s Encrypt certificate. But sometimes, this challenge type isn’t suitable. For example, if you use multi-CDNs with a balancer, CNAME may answer with the non-Gcore value, and the Let’s Encrypt certificate issuance can fail.

To avoid this problem and make the process more flexible, we have added support for the DNS-01 challenge. You can read more about the principles of its operation in the official documentation.

To use the DNS-01 challenge, you need to:

1. Activate Gcore DNS Hosting in your personal account.

2. Delegate your custom domain name to Gcore's name servers (ns1.gcorelabs.net and ns2.gcdn.services).

3. Enable the use_dns01_le_challenge option. Check our API documentation for help with this.

Notes regarding issuing

  • The time it takes to issue a certificate varies depending on when the CDN resource was created. If you are requesting a certificate for a recently created resource, it may take up to 30 minutes as the configuration has not yet been fully propagated to all CDN servers. However, if the resource's configuration has already been fully propagated, issuing a Let's Encrypt certificate will only take a few minutes.
  • Let's Encrypt requires placing a temporary file at the URL http://<CNAME>/.well-known/acme-challenge/<TOKEN> and making HTTP requests to this file. Before adding a Let's Encrypt certificate, make sure that your CDN resource does not have any rules that block these requests. Examples of such rules include:
    • A rule with /*. This rule will catch any strings and override the hidden rule that is necessary to obtain a certificate.
    • A rule with ((?!(jpeg|gif|png|pdf|jpg|css|js|woff|woff2|ttf)).)*$. This rule will catch all non-static files.

You can check your resource rules using the service regex. If you find a rule that blocks Let's Encrypt certificate issuance, delete the rule or change its pattern. The next time Let's Encrypt sends a request, the certificate issuance should be successful.

If an error occurs during certificate issuance, the Enable HTTPS toggle will be disabled and a notification will be sent to your email.

  • You can only issue a Let's Encrypt certificate for an existing resource. If the CNAME of the resource in the DNS settings is not pointing to the value specified in the setup guide, or the source is not available, the certificate will not be issued.
  • Only one Let's Encrypt certificate can be issued per resource. If you need to add or remove an additional personal domain for a resource, we will reissue the certificate after making the changes. You will receive a warning that the current certificate will only be valid for 30 minutes and will be automatically replaced.
Warning

While the resource is active, the certificate is renewed automatically. An attempt to reissue the certificate will be made 30 days before the expiration of the current certificate. There is only one attempt to reissue the certificate. If the certificate is not reissued, a notification will be sent to your email.

In the event of an unsuccessful attempt to reissue a certificate, the current certificate will remain active for another 30 days. After the certificate's end date, the content will become unavailable via HTTPS.

To avoid interruption of content delivery, please reissue the certificate yourself. To do this, revoke the Let's Encrypt certificate in your account and then .

Revoke a Let's Encrypt certificate

To revoke a certificate, go to the Resource Settings and click Revoke Let's Encrypt certificate in the SSL section.

Revoke a Let's Encrypt certificate

Note: You can also use an API request to replace the Let's Encrypt certificate with your own certificate without having to revoke it.

Restrictions and features of the option

  • A wildcard domain cannot be issued a certificate
  • If a Let's Encrypt certificate is issued, the certificate selector will not be displayed in the resource settings. Personal certificates will become available for selection after revoking Let's Encrypt
  • A Let's Encrypt certificate will not be displayed on the SSL Certificates page
Restrictions and features of the option
  • A certificate is only visible in the settings of the resource for which it is issued.
  • Issuing and revoking a Let's Encrypt certificate does not require saving the Resource Settings.
  • If you are using DNS Cloudflare, be sure not to set the CNAME Flattering option to Flatten all CNAMEs. This will cause Cloudflare to return an A-record instead of a CNAME, which will prevent the issuance of a Let's Encrypt certificate. To successfully issue a Let's Encrypt certificate, set the CNAME Flattering option to Flatten CNAME at root.
Status

Let’s Encrypt issuing statuses

Pre-validation failed

If your CDN resource domain cannot be ACME challenged, you will see a message informing you of the issue and the release button will be inactive. To avoid this problem, follow our dedicated guide.

Pre-validation failed status

Processing

After selecting the “Get free Let’s Encrypt certificate” option, if your CDN resource configurations are correct, the “Processing” status will be displayed in your customer portal while the certificate is being issued.

Processing status

However, if some issues get in the way of the ACME challenge, you will see the following description of the error of issuing. Such an error can occur if a CDN resource is still in the process of creation, for example. The next attempt will occured in fifteen minutes. If you want to accelerate the reattempt, click force retry.

Processing with issue status

Success

If the challenge verification is successful, the certificate will be issued, and you will see the status “Success.” The certificate will also be renewed automatically after three months.

Success status

Failed

After five unsuccessful attempts, the certificate status will be “Failed.” You can fix the error(s) causing failure using our dedicated guide. Click Retry issue to attempt issuance again.

Failed status

Was this article helpful?

Not a Gcore user yet?

Learn more about our next-gen CDN

Go to the product page