The following changes in Certificate Authority (CA) used to issue certificates for all Umbraco Cloud sites' for new and existing custom hostnames.
Not sure if your Cloud project is using a CAA record or not?
You can use this CAA Test to check whether a CAA record is configured on your hostname(s).
From September 26, 2022, certificates are issued using 'Google Trust Services' instead of 'DigiCert', and Certificate validity will be decreased from 1 year to 90 days.
From October 31, 2022, certificate renewals will no longer use 'DigiCert' as the issuing CA. The renewed certificate will instead be issued by 'Google Trust Services', and certificate validity will be decreased from 1 year to 90 days.
No action is required unless you set a Certificate Authority Authorization (CAA) record on your domain.
From October 31, 2022, Certificate renewals will no longer use 'DigiCert' as the issuing CA. This means that you need to update your CAA record to allow 'Google Trust Services' issuing certificates for your domain.
The CAA record should be changed from:
to
When you create an Umbraco Cloud project, the project URLs are based on the name of your project.
Let's say you have a project named Snoopy
. The default hostnames will be:
Umbraco Cloud Portal - www.s1.umbraco.io/project/snoopy
Live site - snoopy.euwest01.umbraco.io
Development environment - dev-snoopy.euwest01.umbraco.io
Staging environment - stage-snoopy.euwest01.umbraco.io
The hostnames contain the region your project is hosted on. Currently, there are 4 options available when choosing a region for your Umbraco project:
West Europe (euwest01),
East US (useast01),
South UK (uksouth01) and
Australian East (aueast01)
To access the backoffice add /umbraco
at the end of the Live, Development, or Staging URL.
Under Settings in the Umbraco Cloud Portal, you'll find Hostnames. This is where you bind Hostnames to your Cloud environments.
Ensure that the hostname you are binding to your Umbraco Cloud environment has a DNS entry that resolves to the Umbraco Cloud service.
We recommend setting a CNAME record for your hostname. You can also use A & AAAA records for the root of your domain.
CNAME record value:
dns.umbraco.io
A records to either or both IPv4 addresses:
162.159.140.127
172.66.0.125
AAAA records to either or both IPv6 addresses (to support IPv6 connectivity):
2606:4700:7::7d
2a06:98c1:58::7d
If you're using the Former A and AAAA records consider changing them to the new A & AAAA records above.
Once you have updated your DNS records, you need to remove the hostname and re-add it from Umbraco Cloud to re-validate the certificate with Cloudflare.
You can also check the DNS propagation using a site like whatsmydns.net.
Check with your DNS host or hostname registrar regarding configuration details for your Hostnames.
To specify the hostname for each root node using a multisite setup, follow these steps:
Go to the Backoffice of the project.
Right-click the root content node.
Select Culture and Hostnames.
In the Culture and Hostnames window, click Add New Domain.
Click Save.
Once you've assigned a Hostname to your Umbraco Cloud environment, you may want to hide the default umbraco.io
URL (e.g. snoopy.euwest01.umbraco.io). To do so, see the Rewrites on Cloud article.
All hostnames added to an Umbraco Cloud project's environment will get a TLS (HTTPS) certificate added, by default. The certificate is issued by Cloudflare and valid for 90 days after which it will be automatically renewed. Everything around certificates and renewals is handled for you and you only need to make sure that the DNS records are configured according to our recommendations listed above.
You will need to remove the old DNS entry before the Cloudflare service generates a new certificate for your Hostname.
Cloudflare is a popular DNS provider, which offers a variety of different services to improve performance and security. We also use it for DNS and Hostnames on Umbraco Cloud.
When your domain is also hosted with Cloudflare, you need to enroll the hostname you want to add to your Umbraco Cloud project in a slightly different way:
When creating a CNAME or A-record for your hostname in Cloudflare, you need to start with Proxy Status set to DNS Only.
Once your hostname is marked with Protected under the Hostname page for your Umbraco Cloud project and you can access your website through the hostname, you can choose to change Proxy Status to Proxying.
This is mostly relevant when you need to use specific Cloudflare services like Page Rules, Workers, and so on.
If you keep the Proxy Status set to DNS Only, Umbraco Cloud will handle the automatic TLS setup to ensure that your hostname is always protected with HTTPS.
CAA is a DNS resource record type defined in RFC 6844 that allows a domain owner to indicate which Certificate Authorities (CAs) are allowed to issue certificates for them. If you use CAA records on your domain, you will either need to remove CAA entirely or add the following through your DNS provider:
This is necessary because Google Trust Services is the Certificate Authority for the certificates issued on Umbraco Cloud.
CAA records can be set on the subdomain, but it's not something that is commonly used. If there’s a CAA record at, e.g., app.example.com, you’ll need to remove or update it. If you want to use wildcards and allow certificates for any subdomain, the CAA record should look like this:
The Certificate Authority (CA) used to issue certificates for all Umbraco Cloud sites' custom hostnames was changed on September 26, 2022. From October 31, 2022, certificate renewals for existing hostnames will also be updated to use the new CA.
No action is required unless you set a Certificate Authority Authorization (CAA) record on your domain in which case you will need to update the CAA record prior to renewal. Please follow the Migrate to new Certificate Authority for custom hostnames documentation.
On the Professional and Enterprise plan, you can manually add your certificate to your Umbraco Cloud project and bind it to one of the hostnames you've added.
If you need to use your Web Application Firewall (WAF) in front of your Umbraco Cloud website then this section will highlight some of the most common configurations needed.
Configuration may vary depending on which WAF you are using, so you should always consult your vendor for best practices and recommendations.
In most cases, you need to ensure that the WAF and Umbraco Cloud are using the same certificate on the specific hostname. Custom certificates are a plan-specific feature on Umbraco Cloud, so make sure that you have access to upload certificates.
Make sure the hostname is pointing to Umbraco Cloud (dns.umbraco.io).
Certificates are issued for the actual hostname. It is probably required to have a custom certificate for a WAF hostname.
Be on a plan that supports custom certificates.
When configuring the hostname and certificate on Umbraco Cloud it will be necessary to validate the hostname using a TXT record. This is needed because in most cases the WAF will hide that the website is running on Umbraco Cloud, which means that the usual domain ownership verification cannot be performed. This same approach can also be used to configure a hostname before updating the DNS for the hostname.
So adding a hostname on a Cloud project is possible before a DNS change. It can take up to approx. 14 days before it's removed. That means that you have 14 days to add a TXT record in your DNS settings.
Reach out to support and they will assist you with the details that need to be in the TXT record. We will first be able to see what you need to add to the TXT record when you have added the hostname.
When that is added it should work immediately.
Learn more about best practices for working with rewrite rules on Umbraco Cloud projects.
To make rewrite rules on Umbraco Cloud as seamless as possible, we've installed the IIS Rewrite Module on all our Umbraco Cloud servers.
If you are running Umbraco 8, the rewrite rule can be added directly to your project's web.config
.
The rewrite rules should be added to the <system.webServer><rewrite>
module in your project's web.config
file.
When you are doing rewrite rules on Umbraco Cloud there are a few important things to keep in mind:
Always make sure that you add a condition that negates the Umbraco Backoffice - /umbraco
, otherwise, you will not be able to do deployments to/from the environment
To be able to continue working locally with your Umbraco Cloud project, you also need to add a condition that negates localhost
Once you've assigned a hostname to your Live environment, you may want to "hide" the project's default URL (e.g. example.euwest01.umbraco.io) for different reasons. Perhaps for SEO or to make it clear to your users that the site can be accessed using only the primary hostname.
One approach for this is to add a new rewrite rule to the <system.webServer><rewrite><rules>
section in the web.config
file. For example, the following rule will redirect all requests for the project example.euwest01.umbraco.io URL to the example.com URL (using HTTPS and including the www.
prefix) and respond with a permanent redirect status.
This will not rewrite anything under the /umbraco
path so that you can still do content deployments. You don't have to give your editors the umbraco.io URL, and they won't see the umbraco.io URL if you give them the actual hostname. This rule will also not apply to your local copy of the site running on localhost
.
Once you've applied a certificate to your site, you can make sure that anybody visiting your site will always end up on HTTPS instead of the insecure HTTP.
To accomplish this, add a rewrite rule to the live environment's web.config
in the <system.webServer><rewrite><rules>
section.
For example, the following rule will redirect all requests for the site http://example.com URL to the secure https://example.com URL and respond with a permanent redirect status.
This redirect rule will not apply when the request is already going to the secure HTTPS URL. This redirect rule will also not apply to your local copy of the site running on localhost
.
It is possible to transform all of your URLs to use a trailing slash consistently for SEO.
To accomplish this, add a rewrite rule to the Live environment's web.config
in the <system.webServer><rewrite><rules>
section.
For example, the following rule will redirect all requests for https://example.com/page
to https://example.com/page/
, and respond with a permanent redirect status. This way you can ensure that you use the trailing slashes consistently on your site.
Take note of the negates in the rewrite rule.
Another example would be to redirect from non-www to www:
Adding the .azurewebsites.net
pattern is required for the deployment service and the content transfer between environments to continue to function.
This feature is only available for Umbraco Cloud projects on a Professional or Enterprise plan.
All projects on Starter, Standard, or Professional plans will automatically be assigned a Transport Layer Security (HTTPS) certificate.
To manually upload your certificate on the Umbraco Cloud Portal and assign it to one of the hostnames you've added:
Go to your project on the Umbraco Cloud portal.
Click Settings -> Certificates. The Manual Certificates window opens.
Your certificates need to be:
In .pfx
format.
Must use a password.
Cannot be expired.
Signature algorithm must be SHA256WithRSA, SHA1WithRSA or ECDSAWithSHA256
The .pfx
file can only contain one certificate. Each certificate can then be bound to a hostname you have already added to your site. Make sure you use the hostname you will bind the certificate to as the Common Name (CN) when generating the certificate.
Click Add New Certificate.
Select Choose file in the Certificate (.pfx file) field and upload your certificate from your local machine.
Enter the Password for your certificate.
Click Add.
Click Add new binding.
Choose your hostname from the Hostname dropdown.
Choose your newly uploaded certificate from the Certificate dropdown.
Click Add.
You've now successfully added your certificate to the Cloud project.
In some cases, you might want to switch from using your custom certificate to using the ones provided by the Umbraco Cloud service.
By removing your certificate from your Cloud project, the Umbraco Cloud service will automatically assign a new TLS (HTTPS) certificate to the hostname.
Did your manually uploaded security certificate expire?
You will need to remove the expired certificate for Umbraco Cloud to assign a new certificate to your hostname(s).
Enter your Domain name and select the Language from the drop-down list.
You need to use to add rewrite rules.
It is important to negate the path to files on your site because with the trailing slash added, your media will not show correctly after .
See the full list of features in the on the Umbraco website.