Making a Safer Web
SSL from Let’s Encrypt is totally free and only takes about a minute to install. If you have the ability to click a few buttons, you too can set up a site to show the lock icon in your browser address bar. We handle all the crazy, behind-the-scenes things needed to serve your content securely.
Before enabling SSL on your site, be sure to review the steps to make sure your site is ready for serving secure content and prevent Insecure Content errors or a broken looking site.
For Clouds created prior to July 2015, you have to update the NGINX configuration to enable SSL. You can do this by adding a comment to the Web Rules, e.g.,
Enable SSL on your Site
To enable SSL for your site, log in to the MODX Cloud Dashboard and complete the following steps:
- Before proceeding, review your site to ensure it's ready for SSL and domains have no AAAA records.
- From the Clouds view, locate the Cloud instance you wish to serve securely
- Click on the name of the Cloud instance to go to the Cloud Edit view
- Near the top of the Cloud edit view, find and click on the Add-ons tab
- In the SSL section, click the SSL slider to start the install process
- Click the “Install a Free Let’s Encrypt Certificate”
- If you see a notice about domains or subdomains not covered by the certificate (see Limitations below), you can acknowledge to proceed or exit to correct any issues.
- Click the “Install” button, and wait about one minute for the process to complete.
That’s all folks!
You may also want to review our documentation on configuring your Web Rules for SSL.
Renewals Automatically Occur
Let’s Encrypt certificates, by design, expire every 90 days. But don’t worry: we renew them for you 30 days ahead of time. You shouldn’t have to do anything.
Let’s Encrypt Limitations
There are a few considerations of which to be aware before using Let’s Encrypt:
- Your domain must be resolved to MODX Cloud before you can install a Let’s Encrypt certificate. There is no “instant” SSL coverage. If you are switching DNS to MODX Cloud, there will be a brief period of time when your site will not serve content securely while Let’s Encrypt is being deployed (usually no more than a minute or two). If you need uninterrupted secure, SSL coverage for a site moving to MODX Cloud, you should use a custom SSL certificate rather than Let’s Encrypt.
- DNS for your domain must not include IPv6 (AAAA) records. Let’s Encrypt will use IPv6 records when validating your domains, but MODX Cloud does not yet support IPv6.
- Let’s Encrypt certificates issued by MODX Cloud cannot be used elsewhere. The Terms of Service prohibit our providing private keys for any use external to the MODX Cloud infrastructure.
- You must be on one of our current account plans to access self-serve SSL functions, including Free SSL with Let's Encrypt. If you're not on a Basic, Pro, Studio, Business or Premium plan, then you will need to switch to one of these newer plans from your Account Plans page in the MODX Cloud dashboard.
- Testing a domain using a custom hosts file is not possible. Let’s Encrypt certificates will not be issued without the DNS publicly resolving to the intended Cloud instance. You may be able to get around this by using a subdomain, or alternate domain for the testing period, but you’ll need to re-issue your certificate when you switch your domain.
- Extended Validation is not available from Let’s Encrypt. If you need an enhanced green bar for branding purposes, you will need to purchase and use a custom SSL certificate.
- Only 100 domains are supported by Let’s Encrypt on a single Cloud instance. If you have more than this, you need a custom certificate.
- Issuing certificates on multiple Clouds with the same root domain is not recommended. (e.g. one Cloud uses www.mysite.com, another Cloud uses yyy.mysite.com, etc.) This puts you at risk of hitting rate limits in the Let‘s Encrypt API. We recommend no more than a few Clouds with Let‘s Encrypt certificates per root domain.
- No Warranty/Insurance. Most SSL vendors offer some form of monetary insurance with their certificates. If that is important, you need to purchase and use a custom SSL certificate.
- No support for Internet Explorer on Windows XP. Both MODX Cloud and Let’s Encrypt rely on SNI to function, which is not supported by that browser/OS combination. If you must support IE on XP, you will need to choose an alternate web host.
Debugging Let's Encrypt issuance and renewal issues
Using Let's Encrypt in MODX Cloud is usually smooth sailin, however if you are experiencing issues you might want to check out our Troubleshooting Let’s Encrypt issues guide.