Automatic TLS is now a thing

We are rolling out new automatic TLS infrastructure that does not require members to set up or maintain anything. This means that, for new sites, aliases will get TLS automatically within a few minutes after they are set up and working. This works transparently with all site types, including custom processes and proxies. It doesn’t cost anything, you don’t have to do anything to set it up, and you don’t have to do anything to renew it.

Existing sites that we can detect to be using tls-setup.sh will be migrated to this setup over the next few weeks. That process is completely transparent, and our system attempts to disable the tls-setup.sh scheduled task once it is complete. Once that’s done, we’ll start adding automatic TLS to other existing sites. Our goal is to have TLS available on all aliases of all sites hosted here by the end of June. We will be monitoring the rollout and taking steps to improve the diagnostics and reporting.

This doesn’t affect the ability of sites to be accessed via HTTP, although we (continue to) strongly discourage that.

If this has been enabled for your site, you’ll see the 🔁 emoji next to aliases other than the permanent .nfshost.com alias in the Site Names & Aliases panel on your Site Information panel in the Member Interface.

Our special thanks to Let’s Encrypt, whose service provider integration makes this possible.

7 Comments »

RSS feed for comments on this post. TrackBack URI

  1. I was wondering why I saw that icon on one of my sites when I looked today.

    Comment by MiquelFire — May 11, 2024 #

  2. That’s awesome, thank you!!

    Comment by Andrew Guyton — May 11, 2024 #

  3. Very cool! Thank you so much.

    I imagine that the service provider integration also involves Let’s Encrypt waiving their individual Terms & Conditions signoff that they would normally require each user to do (besides any technical integration.)

    Comment by Tim McCormack — May 11, 2024 #

  4. That’s correct. That requirement was why we didn’t think we could do this, but it turns out that they’re happy to allow us to do that as long as we’re the ones holding the private keys. -jdw

    Comment by jdw — May 11, 2024 #

  5. Deployed a new site with domain’s DNS still pointing at old host. Set up content, then switched over DNS.

    Automatic TLS didn’t set up correctly because DNS was wrong. Now that it’s correct, I see no way to retry. Guess I just wait.

    Doesn’t this present a problem for anyone attempting a fast cutover between hosting providers?

    Comment by bendodge — May 17, 2024 #

  6. It waits for DNS to be set up correctly before trying in the first place, then retries fairly aggressively (with exponential backoff) if needed. Much moreso than tls-setup.sh did.

    However, we are also still working through the weird edge cases you get when reality doesn’t match the OT&E, and that occasionally leads to delays until we figure it out. That’s likely what you experienced. -jdw

    Comment by jdw — May 17, 2024 #

  7. Well look at that. 😉 Niiice! (And sorry for the hassle in the support forums.)

    Comment by gellenburg — May 18, 2024 #

Leave a comment

All comments are moderated; off-topic comments, requests for tech support, and trolls will not be approved. This blog is our free speech platform, not necessarily yours. If you wish to contact NearlyFreeSpeech.NET, please visit our site or email support@NearlyFreeSpeech.NET.

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Entries Feed and comments Feed feeds. Valid XHTML and CSS.
Powered by WordPress. Hosted by NearlyFreeSpeech.NET.

NFSN