How to generate a Let's Encrypt certificate for your domain

Web applications that use the HTTPS protocol require a Digital Certificate. When you redirect your traffic to Azion, you have the option to generate a Let’s Encrypt™ certificate, which is a free and secure way to encrypt data for your edge application. Azion automates the issuance, renewal, and deactivation of this TLS certificate through an internal certificate management solution.

Let’s Encrypt certificates cross-signed by IdenTrust will expire on September 30th, 2024. Devices and applications using the Let’s Encrypt certificate that uses IdenTrust will become invalid. This could impact the functionality of devices and applications utilizing these certificates, mainly users of older Android devices (pre-7.1). It’ll be necessary to take the following actions:

For users of Let’s Encrypt Certificates with IdenTrust: you must migrate to the new Let’s Encrypt signing technology or an Azion edge certificate.
For users of other types of Let’s Encrypt: no immediate action is necessary, considering other certificates remain unaffected with this update, since the problem is caused by outdated certificate chains on the device.
For user with applications using Let’s Encrypt in Azion: no action needed. Certificates are automatically updated, although an affected device must have its CAs updated as well.

Before you begin

Azion generates Let’s Encrypt certificates for domains and subdomains registered in the Domain Name System (DNS). Domains can be acquired and registered into DNS zones through a third-party DNS provider, such as GoDaddy or Amazon AWS.

For the purposes of this guide, assume that the fully-qualified domain name (FQDN) that you want to generate a Let’s Encrypt certificate for is a CNAME record www.yourdomain.org under a yourdomain.org DNS zone.

Generating a Let’s Encrypt certificate

You may choose to generate a Let’s Encrypt certificate for domain records hosted in Edge DNS or in the external DNS provider of your top-level domain.

To that end, you’ll have to prepare your DNS server and register records for Azion to be able to create and manage your Let’s Encrypt certificate.

Option 1: Preparing DNS entry on Azion Edge DNS

Azion allows you to host DNS zones by redirecting the DNS resolution of a domain to Edge DNS. When using Edge DNS, all configurations needed are made through Azion interface.

To create a DNS zone for a domain entry www.yourdomain.org in Edge DNS:

Access Azion Console > Edge DNS.
If you don’t have an active zone, click the + Zone button.
Give your zone an easy-to-remember name.
Indicate the FQDN as recorded in the DNS. Example: yourdomain.org.
Click the Save button.

Once your DNS resolution has been successfully redirected and is hosted in Edge DNS, you can create a new CNAME record for the domain by following the steps:

Still on the Edge DNS page, select the desired zone.
Navigate to the Records tab.
Click the + Record button.
Under Name, create a hostname or subdomain.
Under Record Type, select CNAME - Canonical name.
Under Value, enter the Azion-provided domain address in FQDN format. Example: xxxxxxxxxx.map.azionedge.net
- If you don’t have a domain, skip to section Creating a domain for more information.
Set the TTL and Policy as desired.
Click the Save button.

If the CNAME entry listed in your Azion domain has been created in your Edge DNS zone, Azion will automatically verify the domain authenticity and the Let’s Encrypt certificate will become active. Go to the section Checking the status of Let’s Encrypt certificates for more information on certificate statuses.

Option 2: Preparing DNS entry with an external DNS provider

If you have a domain registered in an external DNS zone, Azion will verify the domain authenticity in an external DNS provider by completing Let’s Encrypt method called DNS-01 ACME client challenge to issue the certificate.

To allow the DNS-01 challenge to occur:

Access your DNS provider’s website.
Navigate to the DNS management area.
Create a CNAME record for each domain you want to use the certificate. This must be the same CNAME you’ll add to the CNAME field when creating your Azion domain later. Example: www.yourdomain.org
Add a new record to your domain as follows:

Name	Value	Type
`_acme-challenge.<your domain>` For example: `_acme-challenge.www.yourdomain.org`	`<your domain>.letsencrypt.azion.com` Example: `www.yourdomain.org.letsencrypt.azion.com`	CNAME

Repeat steps 3 and 4 for every CNAME you intend to add to your Domain.
Save your settings.

Now that the challenge can take place, the next step is to create a domain with Azion.

Creating a domain

To create an Azion Domain, you must have an edge application. If you haven’t created an edge application yet, check the build an application documentation.

Once you have an edge application, you need to create a domain and list the CNAMEs that you want to secure with the Let’s Encrypt certificate. To do so, follow these steps:

Access Azion Console > Domains.
Click the + Domain button.
Name your domain. Example: Domain.
Under Edge Application, select the application you created.
Under CNAME, add the FQDN of the domain you created in the previous sections. Example: www.yourdomain.org.
Under Digital Certificate, select the option Let’s Encrypt.
Click the Save button.

Checking the status of Let’s Encrypt certificates

You can check the status of your Let’s Encrypt TLS certificate by following these steps:

Access Azion Console > Digital Certificates.
In your digital certificate list, you’ll see a new entry in the format Domain - Let's Encrypt <timestamp>.

The status on the right of the list shows you whether the certificate has been issued. An Active certificate has been verified and issued successfully. A Pending status means the certificate is still undergoing checks in Azion’s internal certificate manager.

Managing a Let’s Encrypt certificate

Once the certificate undergoes DNS validation, it won’t require manual renewal upon expiration, which occurs after 90 days. Deactivation will occur if the certificate is deleted or if the associated domain is deleted from Azion.

Pointing your traffic to Azion

Once you have an active Let’s Encrypt certificate, you can point your traffic to Azion by associating your Azion-provided domain address xxxxxxxxxx.map.azionedge.net to your domain’s CNAME record. To do so:

Access Azion Console > Domains.
From the Domains list, copy the Azion-provided domain address that you want to associate to the external domain, which should be in the format xxxxxxxxxx.map.azionedge.net
In another browser tab, access your DNS provider.
Navigate to the DNS management area.
Edit the domain CNAME record with the Let’s Encrypt certificate as follows:

Name	Value	Type
`www.yourdomain.org`	`xxxxxxxxxx.map.azionedge.net`	CNAME

Save your settings.

Note that there might be a delay in propagation time when you access your application. If that’s the case, you can run the DIG command in your terminal to check whether your domain points to the Azion address.