Use LetsEncrypt With KeyCDN to Enable TLS

let's encrypt with keycdn

LetsEncrypt is a certificate issuing authority that allows users to issue SSL certificates free of charge. LetsEncrypt with KeyCDN gives customers a third option when securing their content via SSL from the KeyCDN edge servers to their website’s visitors.

Let’s Encrypt certificates require domain validation in order to properly succeed. To satisfy this validation, the ACME challenge must be passed, which requires you to CNAME your custom CDN URL (e.g. to the domain. This is why you must first create the CNAME record and then add your Zonealias once the DNS record has fully propagated for successful domain validation.

When using our Let’s Encrypt SSL option, there is no need to worry about any certificate and private key information as all of this happens automatically once LE is chosen. Follow the steps below to setup Let’s Encrypt SSL with your KeyCDN zone.

How To Use LetsEncrypt With KeyCDN

This feature is still in Beta, however enabling LetsEncrypt with KeyCDN is simple and can be done in just a few steps.

  1. Navigate to your zone’s settings and select Show Advanced Features. Scroll down to the SSL section and from the drop-down list, select the LetsEncrypt option. keycdn letsencrypt settings
  2. Add a CNAME record in your DNS (Zonealias –> Zone URL). DNS changes take some time depending on the TTL. Check that your new DNS record is active with the DNS Check Tooldns-check
  3. Create a Zonealias for that zone.
If your zone already has a Zonealias, you must either remove it before changing the SSL option to LetsEncrypt or recreate it afterwards. Further, you cannot add a Zonealias if the CNAME record is not fully propagated.

Once the above steps are completed you will have secured your website with SSL for content delivery between the KeyCDN edge servers and your end users.

Other Considerations

  • The LetsEncrypt SSL feature is still in Beta which means there are currently restrictions in place regarding the amount of certificates per domain. The current limitation on certificates / domain is 20 certificates for a registered domain per week. Check out Let’s Encrypt’s complete rate limits post for more details.
  • LetsEncrypt also publicly discloses the certificates they issue with the goal of increasing certificate transparency. This helps eliminate flaws of the SSL certificate system that can weaken the reliability of SSL encrypted connections. Certificates issued by LetsEncrypt can be identified by using the CA Search tool.
  • Upon enabling Let’s Encrypt SSL, delivering assets via SSL using the kxcdn domain is no longer possible and will return an error.
  • Let’s Encrypt certificates are known to be currently incompatible with the following devices:
    • Blackberry OS 10, 7, & 6
    • Android 2.3.5 (HTC Wildfire S, Stock Browser)