HTTPS on Custom Domains
Netlify offers free SSL on all plans with a simple one-click setup.
HTTPS brings a lot of advantages:
- HTTP/2 Boost your sites performance — HTTP/2 only works when HTTPS is enabled
- SEO Google awards site that works with HTTPS enabled
- Analytics If your visitors comes from HTTPS enabled sites, you only get referrers if you support HTTPS as well.
- Content Integrity Without SSL, free Wi-fi services can inject ads into your pages.
- Security If you have a login on a Single Page App or accept form submissions, HTTPS is essential for your users’ security and privacy
Managed vs Custom SSL
Netlify offers three different ways of providing an SSL certificate.
Both of the usual methods are based on a browser standard called SNI. Without SNI, the browser will never send the domain name of the site in clear text, but requires an encrypted connection first. This means that when you’re serving sites for lots of different domains (like our CDN edge nodes are), you need a dedicated IP address for each domain or a very large shared certificate that lists all possible domains on the service.
With SNI, the browser sends the domain in cleartext before opening an encrypted connection, and this gives our CDN edge nodes a chance to pick the right certificate for the domain and use that for the encryption handshake.
Today SNI works in all modern browsers, but users of long-discontinued browsers like IE on Windows XP or very very old Android devices will be unable to access your site over HTTPS without going through very scary looking error messages. You might also experience issues with certain automated tools, like PhantomJS before 2.0 (early 2015).
Managed SSL is what the majority of our customers use. We describe this setup in depth below in the below section Netlify Certificates.
Custom SSL is a way for you to provide an SSL certificate that matches your specifications - things like a wildcard certificate or an Extended Validation (EV) certificate. If you’d like to provide your own custom certificate, see Custom Certificates below for more details.
Dedicated IP SSL is available on our enterprise plans for people who do not want to use SNI-based certificates. If you want your own unique certificate available to all browsers without requiring SNI and without a shared certificate as fallback, please contact us.
Go to the SSL screen and click “Let’s Encrypt Certificate.” Netlify will then provision a new domain-validated certificate and automatically install it on all our CDN edge nodes. The process normally takes less than a minute from the time you click the button until your site supports HTTPS. In some cases it may take up to 10 minutes for the process to complete successfully - but if it takes longer than that and the button to provision the certificate is not visible after you hard-reload the HTTPS settings page, please contact support.
Note: See the below Troubleshooting section if the automatic provisioning doesn’t seem to work.
Your certificate will include all your domain aliases when it’s issued, but note that DNS also needs to be configured IN ADVANCE for all aliases for us to include them on your certificate. See the troubleshooting section below for more information on confirming the new configuration.
Note: If you have more than 5 aliases that are subdomains of the same domain, you might run into rate-limits with our SSL provider. In that case we recommend you provide your own wildcard certificate or contact support for our assistance for getting them setup with our SSL provider. Please do this before adding any aliases for best results!
If you already have a certificate for your domain and prefer that to Netlify’s domain-validated certificate, you can easily install your own.
Note: Be aware that while Netlify automatically handles renewals for certificates we provision, you’ll have to manually renew and replace your custom certificate yourself before it expires.
To install a certificate, you’ll need the certificate itself in X.509 PEM format (normally this will be a .crt file), the private key you’ve used to request the certificate and a chain of intermediary certificates from your Certificate Authority (CA).
Click “Set Custom Certificate”, and then paste in the certificate, each of the intermediary certificates (also known as the “CA Chain”), and the private key.
Netlify validates that the certificate matches the custom domain for your site and that the DNS record for the domain is pointed at Netlify, and then installs your certificate. If your certificate covers several of your sites (ie., if it’s a wildcard certificate or uses Subject Alternative Names), you only need to install it for one site.
Once you have a certificate in place, you can check a box to force SSL. This will both set a redirect from http to https, and add
Strict Transport Security headers to all requests.
Strict Transport Security makes sure that a “man in the middle” can’t simply serve your users a fake site over HTTP, by telling the browser that once it has visited your site, it should only accept HTTPS connections to that site for the next year.
Warning: once you force HTTPS any browser that visits your site will ONLY connect to the site again via SSL for the next year. So make sure to verify in a browser that SSL is working properly on your site, under all names, before enabling this!
When SSL is enabled for your site, Netlify supports HTTP 2.0 - a new internet protocol engineered for faster web performance.
There are many reasons that adding a Netlify certificate or uploading a Custom certificate might not work. The common causes are listed below, but if they don’t seem to apply to you or you have additional questions, our Support team will be happy to help out!
1. Most importantly, you’ll need to configure the DNS for the custom domain before you can provision a Netlify certificate. To provision the certificate, Netlify needs to go through a domain validation process on your behalf, and this step cannot be completed unless the DNS records for your custom domain is already pointing at our servers.
2. Any old settings must have their cache timeouts expired. This article explains some more about the TTL setting for a DNS record - and whatever your TTL is set to is a timeout in seconds that must be passed before we would expect to be able to create a certificate for your hostname(s).
3. If your site is configured to go through another service (ex: using CloudFlare “acceleration and protection”, or similar), you’ll need to disable that routing before trying to provision a certificate in our UI, so Netlify can handle SSL termination.
4. It is possible that the name servers we use have some old cached values for your hostname(s). You can attempt to accelerate cache expiration for your names using this tool: https://developers.google.com/speed/public-dns/cache
5. It is possible that we will get a certificate for one name (for instance
example.com) and not for another (for instance
www.example.com or some domain alias). In this case you must contact Support so we can repair the certificate.
One way to check to see if your site is well-configured is to examine the HTTP response headers from your site at the Custom Domain name you’ve configured for our service. You could look in your browser’s developer console for these or use a command like:
curl -s -v http://your-newly-configured-hostname.com 2>&1 |grep Server
(You’re looking for a response like
Server: Netlify. Don’t forget to do this for EACH name you’ve set up - probably something like www.example.com and example.com).
If you’re migrating an existing site and need to complete this process before changing the DNS settings, please get in touch.
Notice something is incorrect or outdated?
First off, great eye! We appreciate your discovery and want to ensure it gets addressed immediately. Please let us know here.