Use LetsEncrypt With KeyCDN to Enable TLS

let's encrypt with keycdn

LetsEncrypt is a certificate issuing authority that allows users to issue SSL certificates free of charge. LetsEncrypt with KeyCDN gives customers a third option when securing their content via SSL from the KeyCDN edge servers to their website’s visitors.

Let’s Encrypt certificates require domain validation in order to properly succeed. To satisfy this validation, the ACME challenge must be passed, which requires you to CNAME your custom CDN URL (e.g. cdn.example.com) to the kxcdn.com domain. This is why you must first create the CNAME record and then add your Zonealias once the DNS record has fully propagated for successful domain validation.

When using our Let’s Encrypt SSL option, there is no need to worry about any certificate and private key information as all of this happens automatically once LE is chosen. Follow the steps below to setup Let’s Encrypt SSL with your KeyCDN zone.

How To Use LetsEncrypt With KeyCDN

This feature is still in Beta, however enabling LetsEncrypt with KeyCDN is simple and can be done in just a few steps.

  1. Navigate to your zone’s settings and select Show Advanced Features. Scroll down to the SSL section and from the drop-down list, select the letsencrypt option. 
  2. Add a CNAME record in your DNS (Zonealias –> Zone URL). DNS changes take some time depending on the TTL. Check that your new DNS record is active with the DNS Check Tooldns-check
  3. Create a Zonealias for that Zone.
If your Zone already has a Zonealias, you must either remove it before changing the SSL option to letsencrypt or save it afterwards. Further, you cannot add a Zonealias if the CNAME record is not fully propagated.

Once the above steps are completed you will have secured your website with SSL for content delivery between the KeyCDN edge servers and your end users.

Zero-Downtime Migration to Let’s Encrypt

If you currently have a custom SSL certificate configured but want to migrate to Let’s Encrypt without any downtime, then you must follow these steps:

  1. Create a Zone and Zonealias with a custom SSL certificate
  2. After the changes are fully deployed (approx. 5-10 minutes), change the CNAME accordingly (if not already done)
  3. Switch the SSL option for your Zone from custom to letsencrypt and wait until the Zone is fully re-deployed (wait approx. 5-10 minutes)
  4. Save the Zonealias again (this will issue the LE certificate and attach it to the Zone)

That’s it! Now your KeyCDN Zone is using Let’s Encrypt to deliver your assets over HTTPS. This means that you no longer need to purchase custom SSL certificates for your CDN assets nor do you need to update the certificates once they expire. Let’s Encrypt does this automatically and is completely free.

Other Considerations

  • The LetsEncrypt SSL feature is still in Beta which means there are currently restrictions in place regarding the amount of certificates per domain. The current limitation on certificates / domain is 20 certificates for a registered domain per week. Check out Let’s Encrypt’s complete rate limits post for more details.
  • LetsEncrypt also publicly discloses the certificates they issue with the goal of increasing certificate transparency. This helps eliminate flaws of the SSL certificate system that can weaken the reliability of SSL encrypted connections. Certificates issued by LetsEncrypt can be identified by using the CA Search tool.
  • Upon enabling Let’s Encrypt SSL, delivering assets via SSL using the kxcdn domain is no longer possible and will return an error.
  • Let’s Encrypt certificates are known to be currently incompatible with the following devices:
    • Blackberry OS 10, 7, & 6
    • Android 2.3.5 (HTC Wildfire S, Stock Browser)

11 Comments

  1. Peter Bladen

    I tried this on the cdn i setup but I just receive the error message This server could not prove that it is cdn.(mydomain).com; its security certificate is from*.kxcdn.com. This may be caused by a misconfiguration or an attacker intercepting your connection

  2. Michael Oeser

    I´m trying to get that working for a customer but for some reason I can´t manage it. When I try to add a zone alias I get the error “CNAME record not found. DNS changes take time to propagate depending on the TTL, try again later”

    I added the CNAME record to the hosting environment three days ago and I assume it should be ready.

    Any ideas why this isn´t working?

Leave A Comment?