Do _redirects proxies support self-signed certs?

I’m trying to debug an issue with a redirect proxy for an endpoint that’s currently using a self-signed cert. I wanted to check if this is supported? Does Netlify allow self-signs to be proxied?

Hi, @l-monninger. Our service does not support to proxying to a site using self-signed SSL certificate. If the SSL certificate isn’t publicly verifiable with a known CA root the proxy connection will fail because of a failed SSL negotiation.

We can enter a feature request for self-signed certificate support but I cannot guarantee if such a feature will ever be available. Even if it was available, I’m guessing that would be a paid plan only feature (but I could be wrong).

For a short-term workaround, I recommend getting a publicly verifiable SSL certificate, for example - a free SSL certificate using certbot and Let’s Encrypt:

https://certbot.eff.org/

The downside is that it would require renewal each 60 days if you are following Let’s Encrypt’s recommended best practices. On the other hand, in many cases, that renewal can be automated (just like the automated Let’s Encrypt renewals at Netlify).

The sites at Netlify are already using Let’s Encrypt so if you are trusting their SSL for the site at Netlify I no reason not to also use it for the proxy target. (You could have reasons I don’t know about, of course.)

It isn’t a Netlify program (meaning certbot isn’t ours) but I love Let’s Encrypt and would love to see more people using their services and software. If there are questions about how to use certbot, I’m fairly familiar with it and would be happy to troubleshoot it with you here.

1 Like