How to generate a Let's Encrypt certificate for your domain

Web applications that use the HTTPS protocol require a Digital Certificate. When you redirect your traffic to Azion, you have the option to generate a Let’s Encrypt™ certificate, which is a free and secure way to encrypt data for your edge application. Azion automates the issuance, renewal, and deactivation of this TLS certificate through an internal certificate management solution.

Before you begin

Section titled Before you begin

Azion generates Let’s Encrypt certificates for domains and subdomains registered in the Domain Name System (DNS). Domains can be acquired and registered into DNS zones through a third-party DNS provider, such as GoDaddy or Amazon AWS.

For the purposes of this guide, assume that the fully-qualified domain name (FQDN) that you want to generate a Let’s Encrypt certificate for is a CNAME record www.yourdomain.org under a yourdomain.org DNS zone.

Generating a Let’s Encrypt certificate

Section titled Generating a Let’s Encrypt certificate

You may choose to generate a Let’s Encrypt certificate for domain records hosted in Intelligent DNS or in the external DNS provider of your top-level domain.

To that end, you’ll have to prepare your DNS server and register records for Azion to be able to create and manage your Let’s Encrypt certificate.

Option 1: Preparing DNS entry on Azion Intelligent DNS

Section titled Option 1: Preparing DNS entry on Azion Intelligent DNS

Azion allows you to host DNS zones by redirecting the DNS resolution of a domain to Intelligent DNS. When using Intelligent DNS, all configurations needed are made through Azion Real-Time Manager.

To create a DNS zone for a domain entry www.yourdomain.org in Intelligent DNS:

  1. Access Real-Time Manager (RTM).
  2. On the upper-left corner of the page, click the three horizontal lines to open the Products menu.
  3. Under the section SECURE, select Intelligent DNS.
  4. If you don’t have an active zone, click the Add Zone button.
  5. Give your zone an easy-to-remember name.
  6. Indicate the FQDN as recorded in the DNS. Example: yourdomain.org.
  7. Click the Save button.

For more information on how to redirect your domain’s authoritative DNS servers, see the Intelligent DNS documentation.

Once your DNS resolution has been successfully redirected and is hosted in Intelligent DNS, you can create a new CNAME record for the domain by following the steps:

  1. In the Intelligent DNS page in RTM, select the desired zone.
  2. Navigate to the Records tab.
  3. Under Name, create a hostname or subdomain. Example: www.
  4. Under Type, select CNAME - Canonical name.
  5. Under Value, enter the Azion-provided domain address in FQDN format. Example: xxxxxxxxxx.map.azionedge.net
    • If you don’t have a domain, skip to section Creating a domain for more information.
  6. Set the TTL and Policy as desired.
  7. Click the Save button.

If the CNAME entry listed in your Azion domain has been created in your Intelligent DNS zone, Azion will automatically verify the domain authenticity and the Let’s Encrypt certificate will become active. Go to the section Checking the status of Let’s Encrypt certificates for more information on certificate statuses.

Option 2: Preparing DNS entry with an external DNS provider

Section titled Option 2: Preparing DNS entry with an external DNS provider

If you have a domain registered in an external DNS zone, Azion will verify the domain authenticity in an external DNS provider by completing Let’s Encrypt method called DNS-01 ACME client challenge to issue the certificate.

To allow the DNS-01 challenge to occur:

  1. Access your DNS provider’s website.
  2. Navigate to the DNS management area.
  3. Create a CNAME record for each domain you want to use the certificate. This must be the same CNAME you’ll add to the CNAME field when creating your Azion domain later. Example: www.yourdomain.org
  4. Add a new record to your domain as follows:
NameValueType
_acme-challenge.<your domain>

For example:
_acme-challenge.www.yourdomain.org		<your domain>.letsencrypt.azion.com

Example:
www.yourdomain.org.letsencrypt.azion.com		CNAME
  1. Repeat steps 3 and 4 for every CNAME you intend to add to your Domain.
  2. Save your settings.

Now that the challenge can take place, the next step is to create a domain with Azion.

Creating a domain

Section titled Creating a domain

To create an Azion Domain, you must have an edge application. If you haven’t created an edge application yet, follow the Getting started guide.

Once you have an edge application, you need to create a domain and list the CNAMEs that you want to secure with the Let’s Encrypt certificate. To do so, follow these steps:

  1. Access RTM.
  2. On the upper-left corner, select the three horizontal lines to open the Products menu > Domains.
  3. Click the Add Domain button.
  4. Name your domain. Example: Domain.
  5. Under Edge Certificate, select the option Let’s Encrypt.
  6. Under CNAME, add the FQDN of the domain you created in the previous sections. Example: www.yourdomain.org
  7. Under Edge Application, select the application you created.
  8. Click the Save button.

Checking the status of Let’s Encrypt certificates

Section titled Checking the status of Let’s Encrypt certificates

You can check the status of your Let’s Encrypt TLS certificate by following these steps:

  1. In Real-Time Manager, access the Products menu.
  2. Under EDGE LIBRARIES, select Digital Certificates.
  3. In your digital certificate list, you’ll see a new entry in the format Domain - Let's Encrypt <timestamp>.

The status on the right of the list shows you whether the certificate has been issued. An Active certificate has been verified and issued successfully. A Pending status means the certificate is still undergoing checks in Azion’s internal certificate manager.

Managing a Let’s Encrypt certificate

Section titled Managing a Let’s Encrypt certificate

Once the certificate undergoes DNS validation, it won’t require manual renewal upon expiration, which occurs after 90 days. Deactivation will occur if the certificate is deleted or if the associated domain is deleted from Azion.

Pointing your traffic to Azion

Section titled Pointing your traffic to Azion

Once you have an active Let’s Encrypt certificate, you can point your traffic to Azion by associating your Azion-provided domain address xxxxxxxxxx.map.azionedge.net to your domain’s CNAME record. To do so:

  1. Access RTM.
  2. On the upper-left corner of the page, go to Products menu > Domains.
  3. From the Domains list, copy the Azion-provided domain address that you want to associate to the external domain, which should be in the format xxxxxxxxxx.map.azionedge.net
  4. In another browser tab, access your DNS provider.
  5. Navigate to the DNS management area.
  6. Edit the domain CNAME record with the Let’s Encrypt certificate as follows:
NameValueType
www.yourdomain.orgxxxxxxxxxx.map.azionedge.netCNAME
  1. Save your settings.

Note that there might be a delay in propagation time when you access your application. If that’s the case, you can run the DIG command in your terminal to check whether your domain points to the Azion address.

Contributors