Today we announce support for free and automatic SSL certificates provided by Let’s Encrypt in Fanout Cloud. To use this feature, simply edit your custom domain in the Fanout control panel and enable “Use Let’s Encrypt for SSL”. Assuming you have a proper CNAME record set up for your custom domain, a certificate will be created and installed within a few minutes.

We integrated Let’s Encrypt not only to make SSL easier to use, but to make custom domains easier to use. Custom domains are an important part of owning your API contract. However, having to manually purchase and manage certificates just to have a custom domain can be a hindrance, especially for users that are unfamiliar with the process or find the cost of certificates prohibitive. Not any longer! With Let’s Encrypt, all you have to do is check a box, and the feature is available to everyone including those on our free plan.

Of course, none of this would be possible without Let’s Encrypt’s amazing free service. We thank them and their sponsors for providing one of the most fundamentally important capabilities of the Internet.

An example

Our Live Counter example API supports SSL using Let’s Encrypt. The project uses Fanout Realm ID d04fd503. The realm has a custom domain api.livecounter.org, and a CNAME record is set up for api.livecounter.org pointing to d04fd503.fanoutcdn.com. This is of course needed so clients can connect using a custom domain at all, but it’s also needed for Let’s Encrypt domain validation to work.

The DNS configuration can be confirmed by dig:

$ dig api.livecounter.org

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> api.livecounter.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46786
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;api.livecounter.org.           IN      A

;; ANSWER SECTION:
api.livecounter.org.    5       IN      CNAME   d04fd503.fanoutcdn.com.
d04fd503.fanoutcdn.com. 4       IN      CNAME   front.sfo2.region.fanout.io.
front.sfo2.region.fanout.io. 4  IN      A       138.197.195.24
front.sfo2.region.fanout.io. 4  IN      A       165.227.27.10

In the Fanout control panel, Let’s Encrypt is enabled on the domain. At first, enabling this feature caused a certificate to be created and installed. After that, it’s been handling ongoing certificate renewal.

With everything all set up, here’s a request using https:

$ curl -H "Accept: text/event-stream" https://api.livecounter.org/counters/1/
event: message
data: 2769
...

Building a streaming API with a custom domain name and SSL has never been so easy!

Under the hood

Our automatic certificate management is implemented using the Python acme library. This is the same library used by the popular Certbot tool.

Requests to the path prefix /.well-known/acme-challenge are hijacked by our service rather than proxied to origin servers, so that we can perform the domain validation negotiation on behalf of our users.