Getting traffic encrypted
Rebrandly commits at delivering a https-first experience for branded links, automatically issuing for each Branded Domain a valid SSL certificate and supporting industry-standard in-transit encryption protocols (>TLS 1.2).
The certificate issuance process is backed by the Let's Encrypt Certificate Authority API service and takes place after the following key events in a Branded Domain's lifecycle:
- When the branded domain gets verified by the Rebrandly verification system (i.e. it is responsive to Rebrandly ownership checks)
- When the previously installed SSL certificate is about to expire
The overall time to get a running SSL certificate, and thus having your branded links work with https://, ranges from 15 minutes to 24 hours.
Installing a custom SSL certificate
Reach out to the Rebrandly team to discuss the opportunity to install your own SSL certificate for your own branded domains, if you need.
Troubleshooting SSL issues
If you purchased your domain name via Rebrandly and aren't able to navigate your links in https, please reach out the support for assistance.
For domain names you connected to Rebrandly via DNS resource records, please keep reading.
In order for a Branded Domain to have its own SSL certificate installed, please make sure that:
- Once you connect your Branded Domain to Rebrandly, you don't disconnect it during or after the certificate issuance process (expected to take no more than 24 hours)
- Your domain name have no CA Resource Records (see the DNS section of your domain name), or the CA record includes the Let's Encrypt authority among the allowed ones.
- Your domain name is configured to point Rebrandly in an exclusive way: make sure all of your A records are pointing to the Rebrandly IPs. If you have AAAA records configured to point other systems, please remove them.
Please allow 24 hours for the issuance process to fully take place.
Dealing with certificate renewal over time: the renewal strategy
The Let's Encrypt Authority releases SSL certificates which are expected to last as long as 3 months.
In order to avoid any downtime for inbound HTTPS traffic to customers, Rebrandly commits at anticipating the expiration deadline and get a brand new SSL certificate for your branded domains.
In general, there is a high chance that the certificate will be re-issued between 30 and 15 days before the expiration day: as soon as the expiration day approaches, the domain name is elected for priority handling and issuance attempts will get more frequent for the domain name, until reaching as many as 24 issuance attempt per day.
This strategy in place has been designed to cope with the following edge cases:
-
the domain name was no longer pointing to Rebrandly at the time of the first SSL certificate generation attempt: if you re-wire your DNS settings, the certificate will be there at the first issuance attempt
-
the domain name owner, over time, introduced a restriction on the number of Certificate Authorities (using a CA Resource Record in DNS) able to issue a certificate for the domain name: this will lead to a permanent failure in issuing a new certificate and requires the customer attention
-
the domain name owner, over time, introduced an AAAA record or an A record pointing to a system other than Rebrandly: this is also known to represent a problem for the issuance of SSL certificates
-
the Let's Encrypt API is under maintenance or temporarily experiencing an issue on their end. You can subscribe for such events at https://letsencrypt.status.io/. The Rebrandly system commits to keep generating your SSL certificate by the time the issue is solved with the Let's Encrypt API.
-
the Rebrandly system is under maintenance or temporarily experiencing an issue on its end. You can subscribe to all potentially impacting events for your traffic at https://status.rebrandly.com
If you find the expiration date is approaching and your branded domain isn't still exposing a new certificate, please reach out to the Rebrandly team.
Updated 6 months ago