Installing Netlify SSL Certificate on Other Servers

Hi,

I have a few domains being managed by Netlify behind a few Netlify apps at different subdomains (e.g. app.example.com, demo.example.com). The Let’s Encrypt Certificate auto install feature is great, however I also manage a server at api.example.com and need to set up SSL for it as well.

My questions is, is there a way I can continue to have Netlify manage my domains, while being able to install an SSL certificate on my api servers managed elsewhere?

I found this question about downloading the lets encrypt certificate with not a very fruitful answer, so it seems that’s not an option. But is there any other way to do this without moving my DNS to something like Cloudflare, which can issue its own certificates?

Any leads or info on where to look further would be much appreciated.

Short answer: unless Netlify support has something hidden up its sleeve, no. Your best bet is to install a Let’s Encrypt certificate on the server you manage via certbot or other related tool that can connect to Let’s Encrypt’s Certificate Authority.


Longer answer: Let’s Encrypt certificates are tricky things to manage manually, and even moving to Cloudflare won’t give you the same benefits as having the certificate directly. (more on that below)

As was indicated in the post you linked to, it’s not possible to download or obtain a copy of your SSL cert. Let’s Encrypt is very specific in the way it issues certificates, most commonly through a directory or DNS challenge. These certs are issued with a 90-day, no-exceptions expiration and must be refreshed periodically, so even if you could download the cert, you’d have to constantly reinstall it prior to its expiration.

If your service at api.example.com is hosted on another server you’re managing, is there a reason to not use certbot and have Let’s Encrypt issue a certificate for api.example.com?


On moving to Cloudflare for SSL: You mentioned above that you could just as easily move your DNS to Cloudflare which is totally doable with Netlify, however you should be aware that any domains pointing to Netlify should not have traffic routed through Cloudflare (so no orange cloud). Read more about that here: [Common Issue] Why not proxy to Netlify?.

You’ll also need to keep a certificate deployed at Netlify and not at Cloudflare as described here: [Common Issue] Why isn’t my SSL certificate provisioning automatically with Cloudflare & Netlify? Are there other problems with using Cloudflare in front of Netlify?

Lastly, a word of caution on Cloudflare as a SSL Provider: without going into too much detail here, Cloudflare provides various levels of SSL support, most of which will allow you to “enable” SSL on your domain without needing a certificate at the origin or having a certificate at the origin, but one that isn’t validated on page load. Even if traffic between an end user and Cloudflare is encrypted by SSL, traffic from Cloudflare and your server won’t be encrypted and will still be subject to man-in-the-middle attacks, potential ISP interference and injection, packet sniffing, etc. Additionally, because Netlify doesn’t support proxying to their servers and Cloudflare requires you to proxy through them in order to issue a SSL certificate, you wouldn’t be able to set up an SSL to umbrella over example.com anyways.

Hope this answered your question.

1 Like

Hi, @HoukasaurusRex, and welcome to our Netlify community site. :+1:

I just want to add to what @noelforte has said.

If it isn’t a server at Netlify, then you are own your own regarding the SSL certificate. We cannot provide one for it.

There is no way to export the Let’s Encrypt SSL certificate for sites hosted at Netlify. There is a feature request for this but I’m about a certain as I can be that this feature request will never be created.

There are huge security risks associated with allowing people to download their SSL certificates and we won’t “put our hand into that fire”. In other words, please don’t count on this ever changing. Many people would like to see this become possible with Netlify but I don’t think it ever will be.

You can use Let’s Encrypt to get your own SSL certificates though. Having the domain configured to use Netlify DNS does not prevent you using Let’s Encrypt’s certbot on a different system if you want to get the SSL certificate that way.

If the DNS points to the domain name to a system or systems where you are running certbot you can get a SSL certificate with Let’s Encrypt that way. It will work with or without Netlify DNS (the DNS service used doesn’t impact certbot as long as the DNS records point to the right system(s)).

You can also buy SSL certificates from third-parties to install on servers. (We do not sell any SSL certificates at Netlify.)

Also, everything @noelforte said also is true in my experience. All of those points are valid as well.

If there are other questions about this, please let us know.

1 Like

Got it, so since Netlify is hosting the certificates on its CDN it can manage end to end encryption, but if I’m managing my own backend I need to also provision the certificate myself.

In that case, I’ll manage the certificate installation on my server myself and verify it on my Netlify DNS. Thanks for the detailed answers!

1 Like