SSL Certificates

Supascale supports automatic SSL certificate management via Let's Encrypt and custom certificate uploads. This guide covers certificate configuration for securing your Supabase projects.

Why SSL?

SSL/TLS certificates provide:

• Encryption: Data in transit is encrypted
• Authentication: Verifies your server's identity
• Trust: Browsers show the secure padlock icon
• Compliance: Required for many regulations (GDPR, PCI-DSS)

Let's Encrypt Integration

Overview

Let's Encrypt provides free, automated SSL certificates. Supascale handles:

• Certificate issuance
• Automatic renewal (before expiration)
• Configuration updates

Challenge Types

Let's Encrypt verifies domain ownership through challenges:

HTTP-01 Challenge

Requirements:

• Domain points to your server
• Port 80 is accessible from the internet
• Firewall allows Let's Encrypt validation

DNS-01 Challenge

Supported DNS providers:

• Cloudflare
• AWS Route53
• DigitalOcean
• GoDaddy
• Google Cloud DNS

Requires API credentials for your DNS provider.

Obtaining a Certificate

1. Go to your project's Settings > SSL
2. Click Obtain Certificate
3. Enter your domain name(s)
4. Select the challenge type
5. For DNS-01, enter your DNS provider credentials
6. Click Issue Certificate

The process typically takes 1-2 minutes.

Custom Certificates

When to Use Custom Certificates

• Wildcard certificates from other providers
• Extended Validation (EV) certificates
• Organization Validation (OV) certificates
• Internal CA certificates

Certificate Requirements

Your certificate must include:

Uploading a Certificate

1. Go to Settings > SSL
2. Click Upload Certificate
3. Upload or paste:
   • Certificate file
   • Private key file
   • Intermediate chain (if applicable)
4. Click Validate
5. If valid, click Save

Validation Checks

Supascale validates:

• Certificate and key match
• Certificate is not expired
• Certificate chain is valid
• Domain matches the certificate

Key Types

Supascale supports both key types:

ECDSA is recommended for new certificates (faster, more secure with shorter keys).

Certificate Management

Viewing Certificate Status

1. Go to Settings > SSL
2. View:
   • Current certificate details
   • Expiration date
   • Issuer
   • Domain coverage

Renewal

Let's Encrypt certificates:

• Automatically renewed before expiration
• Supascale checks daily and renews when <30 days remaining

Custom certificates:

• Manual renewal required
• Upload the new certificate when ready
• Supascale alerts you before expiration

Revocation

If your private key is compromised:

1. Go to Settings > SSL
2. Click Revoke Certificate
3. Confirm the revocation
4. Issue a new certificate

Private Key Security

Private keys are protected:

1. Encrypted with AES-256 before storage
2. Stored as privkey.pem.enc
3. Decrypted only when needed
4. Never exposed in the UI or API

Troubleshooting

Let's Encrypt Validation Fails

HTTP-01 issues:

• Verify port 80 is open
• Check domain DNS points to your server
• Ensure firewall allows Let's Encrypt IPs

DNS-01 issues:

• Verify API credentials are correct
• Check DNS provider permissions
• Allow time for DNS propagation (up to 5 minutes)

Certificate Not Working

1. Verify the certificate is properly installed
2. Check the private key matches the certificate
3. Ensure the full chain is included
4. Verify the domain matches

Expiration Warnings

If you receive expiration warnings:

1. For Let's Encrypt: Check automatic renewal is working
2. For custom: Upload the renewed certificate
3. Verify certificate files are not corrupted

Best Practices

1. Use Let's Encrypt when possible: Free, automatic, and secure
2. Enable auto-renewal: Don't let certificates expire
3. Monitor expiration: Set calendar reminders as backup
4. Use strong keys: RSA 2048+ or ECDSA 256+
5. Protect private keys: Never share or commit to version control
6. Test after changes: Verify HTTPS works after certificate updates