Streamline Lets Encrypt Process to reduce downtime


#1

Here is how I understand the LE workflow:

  1. Create Zone and Alias
  2. CNAME to zoneName-kxcdn.com
  3. Enable Lets Encrypt
  4. Delete Zone Alias <----Site is now down
  5. Create Zone Alias <----Site remains down unless this succeeds.

I have two issues with step 4 and 5

  1. When you delete the done alias, your site goes down over http.
  2. IF the Zone Alias fails to recreate, the only option is to:
    a. Wait for the current change to propagate (5 minutes)
    b. Turn off LE
    c. Wait for that change to propagate (5 minutes)
    d. Recreate alias

Is there a way to get Let’s Encrypt HTTPS working without bringing the HTTP site down?


#2

You should first enable the Let’s Encrypt option, then create the CNAME record, and lastly create the Zonealias. https://www.keycdn.com/support/use-letsencrypt-with-keycdn-to-enable-ssl-tls/

If you do it this way then you can avoid downtime and be able to test that your Zonealias is working before implementing the CDN URL into your website. If you create the CNAME/Zonealias first and then enable Let’s Encrypt, it’s inevitable that you’ll need to re-create the Zonealias


#3

Thanks Cody,
I was not specific on what our use case is.

We are doing static site hosting. So if we have www.example.com…then we will CNAME the dns of www.example.com to wwwexamplecom-8a4e.kxcdn.com.

We want to put the site on the CDN
We then take that site live on SSL using LE.
We then to redirect to https.

We are trying to automate this process and I don’t see a way to keep 100% uptime.

Maybe there is a way?

Thanks again for your quick response.


#4

The only way to do it (assuming you have an origin server) would be to point your site back to your origin server, enable LE and then recreate the Zonealias and wait 5 minutes until it is finished deploying. Once that’s done, you could CNAME www.example.com back to wwwexamplecom-8a4e.kxcdn.com.

Otherwise, you will need to use custom SSL which won’t cause any downtime.


#5

The Let’s Encrypt options (and really all of the serving options) should be tied to the Zonealias, not the zone.

Ideally, when you create a new zone it would auto-create a “default” Zonealias with the zone name e.g. -.kxcdn.com.

Then you would be able to add extra Zonealiases without affecting the original or any subsequently created Zonealiases.


#7

Status: The requested feature has been implemented.


#8