Issue¶

I have installed and activated a new SSL certificate in the Acquia Cloud UI, but it is not being used on my sites.

Resolution¶

For reference, there are two ways to install an SSL certificate in the Cloud UI; "Standard" (load balancer based deployment) and "Legacy/ELB" (Elastic Load Balancer based deployment). For DNS purposes, Standard certificates use your load balancer's A Name/IP address and Legacy/ELB certificates use your ELB CNAME. We have more information about the differences in these two installation methods here.

There are a few reasons you may not see a new SSL certificate working on your sites after it has been installed and activated in the Cloud UI. This documentation will outline a few of the most common reasons and steps you can take to resolve the issue.

The new certificate was installed as a non-Legacy/Standard certificate, but domains point to the ELB/Legacy cert¶

If your domains point to your ELB CNAME address, then they would be using your Legacy certificate. In order for your domain(s) to use a new SSL cert that was installed to your load balancers and not your ELB, you can either update your DNS settings to point your domain(s) to the IP address of your load balancers, or you can re-install the SSL cert but this time selecting the 'Install legacy SSL certificate' option in the UI. Please note, by installing a new cert as Legacy, it will overwrite the cert currently active on the ELB.

We have more information about how to find your DNS settings in the UI here: Viewing your IP address or CNAME 

I have an external CDN that is not using the new certificate installed on Acquia¶

If your sites use an external CDN service, then there is a chance that you will need to ensure your CDN service has also been updated to use your new SSL certificate in addition to updating it within the Acquia Cloud UI.

For example, if you are using a custom certificate on Cloudflare for your sites, you will need to upload the new certificate in Cloudflare's UI. You can find instructions on how to upload a custom SSL certificate in Cloudflare here: Cloudflare - Managing Custom SSL certificates

The certificate does not cover the correct domain(s)¶

If you have a domain that should be using the certificate but it is insecure, confirm if the domain itself is included in the list of domains/SANs in the certificate that was installed/activated in the UI. If the exact spelling of the domain is not listed, or if you are using a wildcard domain that excludes the necessary domain, you will need to reach back out to your SSL vendor/Certificate Authority and request an updated version of your certificate that has the complete list of domains and then re-install the updated version of the certificate in the UI. 

We have instructions on how you can view your SSL certificate details here: Viewing an SSL certificate 

My site is not redirecting to HTTPS¶

If you have confirmed that you have configured DNS and your SSL certificate is activated, but your site is not redirecting traffic to https, you may need to update your .htaccess file accordingly. We have examples on how to update your .htaccess file here: Redirecting visitor requests with the .htaccess file and Introduction to .htaccess rewrite rules