TLS Certificates
TLS certificates (also known by their outdated/legacy term "SSL certificates") are used to encrypt traffic between a user's browser and the server it is communicating with.
Cycle is capable of automatically generating, installing, and renewing TLS certificates, relieving a common source of problems in DevOps. The platform also supports user-supplied certificates for more advanced use cases.
Order of TLS Certificate Selection
- When the TLS option is selected for a LINKED record, Cycle will first attempt to find a user-supplied TLS certificate that matches the domain the LINKED record points at.
- If it cannot find one, it will then check for an applicable TLS certificate on a wildcard domain.
- Finally, if no pre-existing certificate is found, Cycle will utilize the TLS integration (currently Let's Encrypt) to generate a new TLS certificate.
Generating TLS Certificates
Cycle currently integrates with Let's Encrypt to generate TLS certificates. The process is fully automated when creating a LINKED record.
When the platform generates a new TLS certificate, it is installed into the load balancer, which handles TLS termination, decrypting the traffic and forwarding it unencrypted to the destination container.
TLS Generation Limitations
Up to 3 certificates for the same domain can be created within 1 hour. Afterward, generation will be locked until an hour past the first attempt. This is to ensure the domain doesn't get restricted by Let's Encrypt for too many requests (which can lead to a much longer timeout). If a certificate is created and fails, and a manual attempt isn't made, Cycle will re-attempt every 3 hours.
Automatic Renewal
TLS certificates generated by Cycle will be automatically renewed every 60 days. TLS certificates will expire after 90 days, giving an overlap of 30 days to correct issues in case there is a problem when generating the certificate. If a certificate hasn't yet been renewed after the 60 day mark, Cycle will automatically attempt to renew the record 25, 15, and 1 day before it expires.
User-Supplied TLS Certificates
In some more advanced cases, it may be necessary to use a TLS certificate generated from another certificate authority. Cycle supports uploading the private key and bundle (PEM encoded) directly. Once uploaded, the associated domain(s) will be automatically detected. Any LINKED record created for a matching domain, with TLS enabled, will automatically utilize the user-supplied certificate.
Manual Renewal Required
Cycle cannot automatically renew user-supplied certificates. However, the platform will monitor and alert the hub owner when the expiration time for a user-supplied certificate is within 30 days.
Uploading User-Supplied TLS Certificates
Receiving TLS Encrypted Traffic
TLS traffic is managed by the load balancer service. By default, port 443 accepts TLS
encrypted traffic, and automatically does TLS termination before forwarding the unencrypted traffic to the destination.
For this reason, most containers on Cycle that accept public web traffic have a port configuration that includes 443:80,
where 443 represents the ingress traffic to the load balancer, and 80 represents the (unencrypted) forwarded traffic
to the container.
Configuring TLS On Other Ports
This behavior can be enabled on ports other than 443 using the native load balancer.
TLS Certificate Log
The platform keeps an audit log of all attempts at TLS certificate generation and renewal.
Advanced: Installing TLS Certificates in a Container
Though unrelated to DNS, it may be desired for a container to encrypt traffic manually. For this situation, Cycle supports installing generated TLS certificates directly into a container using a container integration. However, this is generally only necessary in advanced use-cases.