HTTPS (TLS)

All Berkeley sites hosted on Pantheon should be served over HTTPS for improved security and search engine optimization. Pantheon provides free, shared HTTPS certificates via Let's Encrypt.

To set up HTTPS for a new Pantheon site

To add a new domain to your Pantheon site, fill out the Upgrade to Paid Plan form (if this site is not yet using a paid plan) and request the appropriate plan for the particular site.

  1. Visit the Live tab on your site's Pantheon dashboard and choose Domains/HTTPS. Click the Connect Domain button and type in the new domain you wish to use. When you save your entry the new domain will appear in your list of domains on the Domains/HTTPS pane. Click the details button next to the domain and Pantheon will recommend that you configure a CNAME to a hostname like "live-EXAMPLE.pantheonsite.io".  (The "EXAMPLE" part will be a string specific to your site.)
  2. Add the CNAME information to the Offsite Hosting form, which is linked from the Upgrade to Paid Plan form
  3. Wait for Hostmaster to add the CNAME record.
  4. When the CNAME record is added, you should add code to your site that redirects HTTP requests to HTTPS. (Failure to do this will result in SEO penalties.) Pantheon provides some sample code for this purpose.

To set up HTTPS for a existing Pantheon site

If your Pantheon site was not using HTTPS or if it was using the legacy HTTPS solution, do the following:

Visit the Live tab on your site's Pantheon dashboard and choose Domains/HTTPS. In the list of domains associated with your site you will see some orange status labels: "Upgrade to CDN" means the domain is resolving to the legacy load balancer on Pantheon. "Setup Required" means the domain is not resolving to Pantheon at all.

Domains in the "Upgrade to CDN" status

To enable HTTPS for domains in the "Upgrade to CDN" status, click the Details button and click the Copy link on the CNAME row. Compose an email to hostmaster@berkeley.edu:

Subject: Pantheon DNS setup for EXAMPLE.berkeley.edu

Hi Hostmaster,

Please configure the following DNS records for EXAMPLE1.berkeley.edu:

EXAMPLE1.berkeley.edu should be a cname for live-EXAMPLE1.pantheonsite.io
EXAMPLE2.berkeley.edu should be a cname for live-EXAMPLE2.pantheonsite.io

Many Thanks!

If you don't want to use any of the domains in the "Upgrade to CDN" status, you should write to hostmaster and ask that the DNS records for that domain be removed.  When hostmaster confirms removal, you can click the Details button for the domain and click the red Remove Domain button. 

Domains in the "Setup Required" status

To make the domains in the "Setup Required" status work, fill out the Offsite Hosting form for each one and add the CNAME instructions for each on in the Additional DNS Instructions field.  When Hostmaster completes the DNS setup the domain will work with your site.

If you don't want to use one or more of the domains in the "Setup Required" status, you can click their Details button and then the red Remove Domain button. (No message to Hostmaster is necessary.)

After Hostmaster configures DNS for your new records

After Hostmaster saves the changes, allow 2-4 hours for the campus name servers to get the new record. Then you should complete step #4 above to force HTTP requests to be redirected to HTTPS. 

Additional Notes

If Hostmaster tells you that they cannot configure a CNAME for your domain (or if you know this ahead of time), see these instructions on Pantheon A Record Best Practices.

If you use CAS authentication (CAS code/CAS docs) with your site, CAS will only work with existing development URLs like:

(These URLS already work with your site -- you do not need to connect them.) HTTPS requests to these development URLs will be covered by a certificate maintained by IST Web Platform Services.

If you are interested in continuing to use a certificate issued by InCommon (or another Certificate Authority), see this Pantheon FAQ on bringing your own certificate.