Our Now platform enables you to deploy modern websites and applications without
needing any complicated server configuration. Not only do we automatically
configure DNS records for your domain, we also instantly issue and renew free wildcard SSL
certificates, completely hands-free.
Historically, companies have spent thousands to get
their websites HTTPS-enabled. Not to mention the whole process of issuance, download,
re-upload, reconfigure, restart server with downtime — it's always enormously stressful
and requires significant engineering resources.
So how are we able to make this process automatic and free?
All thanks to Let's Encrypt™, a non-profit whose platform
we utilize to issue SSL certificates to our users.
To support Let's Encrypt's mission to encrypt the web, ZEIT is coming on board as a sponsor.
Let's Encrypt's role has been fundamental in enabling our customers to offer a secure experience to their users.
In this post, we explore how we utilize Let's Encrypt under the hood.
No More Painful and Expensive SSL Certificates
HTTPS plays a fundamental role in enabling privacy and integrity on the web today.
When properly configured, not only does it promise a fast and secure web experience,
it opens you up to better SEO, AMP support, and
trustworthy status.
Labelbox
is one of our great startup customers and a cutting-edge AI company.
They never configured SSL and chose to focus on changing the world through machine learning.
When you deploy with Now, you never need to think about setting up and renewing SSL
certificates for your websites.
Use case 1: Automatic SSL and Renewal
You need an HTTPS-enabled site before you can roll it out to customers.
Now completely automates this for you. Once you purchase a domain
through ZEIT domains or set up an external one,
you can add an alias from the domains tab on the project dashboard.
That's it! The next time you deploy with
now --target production
, we automatically alias your
chosen domain name to the latest deployment, and ensure that they have fresh certificates
installed.
~/front now --target production
> Deploying ~/front under zeit
> Using project front
> https://front-ib06dctig.now.sh [v2] [2s]
┌ front.mdx Ready [38s]
├── index.html (5.08KB)
└── main.js (295.94KB)
> Ready! Aliased to https://zeit.co [3s]
> Deploying ~/front under zeit
> Using project front
> https://front-ib06dctig.now.sh [v2] [2s]
┌ front.mdx Ready [38s]
├── index.html (5.08KB)
└── main.js (295.94KB)
> Ready! Aliased to https://zeit.co [3s]
Deployments made with
now
are automatically HTTPS-enabled.
Use case 2: Automatic Staging for Teams
Your team is constantly introducing new features via pull requests on GitHub or merge requests
on GitLab. Wouldn't it be great to have an instant staging deployment tied to every branch?
As you introduce new changes to the branch, the deployment URL doesn't change and reflects all the updates.
Once the branch is merged to the default branch and deployed, as outlined previously, we automatically
alias to your chosen production domain name, and ensure you have valid certificates.
Under the hood
To enable HTTPS on a website, we need a certificate from a trusted
Certificate Authority (CA), and
for that, all CAs require us to prove that we have control over our domain.
In the case of Let's Encrypt, the issuance communication takes place over ACME, a protocol
introduced via IETF RFC 8555. ACME, which
stands for Automatic Certificate Management Environment, allows for automated
certificate issuance through a series of challenges presented to the owner of
the domain name. When you deploy with Now, we communicate
with Let's Encrypt on your behalf through ACME.
There are two main types of challenges under ACME:
- HTTP challenges: applicable to common domains (e.g
now.sh
) - DNS challenges: required for wildcard domains (e.g
*.now.sh
)
When we request a certificate, Let's Encrypt first examines the domain and presents us
with an appropriate challenge to solve.
In the typical HTTP challenge, we are asked to set up an arbitrary route on our
domain, which contains a token specified by Let's Encrypt. For example, they may want
to make a request at
http://<domain>/.well-known/acme-challenge/1234
and expect to find 2345
at that location.An illustration of the communication around an ACME HTTP challenge between ZEIT and Let's Encrypt.
In a DNS challenge, Let's Encrypt asks us to create a DNS entry with a specific set of prescribed values.
For example, we could be asked to create a
TXT
record with the value ABC
, such that on dig TXT _acme-challenge.<domain>.com +short
they are able to access the matched value.An illustration of the communication around an ACME DNS challenge between ZEIT and Let's Encrypt.
Once issued, we immediately set up the certificate against your domain,
and your website becomes HTTPS-ready.
Conclusion
At ZEIT, our mission is to make the cloud accessible to everyone. We are constantly
observing and working with the developer workflow so we can locate unpleasant experiences and fix them.
By making deployments HTTPS-ready automatically, we are able to free the modern
developer to focus on their core applications and not on server set up.
Our roadmap is
informed by our incredible community of users. We look forward to learning
from your experience deploying with Now.