We currently host three environments on mendixcloud.com, all of which have custom domains set up with SSL/TLS certificates. It would be a great help to have the ability to automatically renew these certificates prior to expiration.
Our certs are from LetsEncrypt.org which uses their ACMEv2 API (https://letsencrypt.org/docs/client-options/) to allow for automatic domain verification and certificate renewal. This is supported via a large number of clients as shown in the above link, although primarily for unmanaged IIS or Exchange servers.
Since mendixcloud.com is a managed host, the common ways of using these client tools are not available to us.
However, we have other custom domains pointing to managed resources in Microsoft Azure which allow custom automation scripts to update these SSL certificates. It would be a great feature to have similar functionality built into our custom domains and sites hosted here with Mendix.
Thanks!
Ed
Updating this with a comment I've received from a contact at Mendix. Was given permission, but I wish they were more upfront with roadmap items.
Nothing about this comment should stand as an official timeline, but just to give some hope to those looking.
Yes, this is on our roadmap, but unfortunately not soon. We are working on improving certificate management. We will do this in steps:
1. Manage certificates via APIs. This will make it easier to update the certificates of multiple apps and environments.
2. Manage certificates centrally in Control Center. This will make it easier to update certificates of multiple apps and environments at once, as they can all use the same certificate.
3. Full certificate management, probably by integrating with Let's Encrypt.
I hope we can pick up 1 and 2 before the end of this year. We will not be able to pick up 3 before 2025, but it is definitely on our roadmap.
SSL certificate update automation for custom domains is a must. I would say it's a deal breaker for choosing a low-code solution. So, if any Mendix member of staff is reading this, here's my vote in favor of automated SSL certificate updates (via Letsencrypt, etc...)
My idea for now is to use a Letsencrypt updater docker (e.g. https://hub.docker.com/r/jonasal/nginx-certbot) which will serve as a proxy and will forward the traffic to mendix's domain. I wonder if it's going to work well...
Also - are these forums moderated by mendix official staff? I can't see any feedback in this thread that looks official :/
Hi,
Are there any updates here? Is everyone still manually renewing their certificates for custom domains in each application environment in Mendix?
Anyone hosting a good number of applications will have a lot of manual repetitive tasks with this, with a high chance of human error and interruptions to their environment. We foresee the need for 30 applications as part of a digital platform we are creating. Others in this community may even have a lot more... Automating these tasks is a basic operational need these days, with certificates on a 30 / 90 day cycle being quite common.
We're also currently using Azure Key vaults and pipelines. Does Mendix plan to integrate with azure for this, or provide their own solution to this problem?
Would be great to get some offiicial mendix feedback or any information about this being on a roadmap.
Cheers!
Gareth
Absolutely essential with the 90 day - and possibly later 30 day - renewal period coming up.
Any update on this topic?
Great idea. Should be on the roadmap soon.
Great idea ;-)!!!
Interesting that this same suggestion was made 5 years ago (https://forum.mendix.com/link/ideas/398), but was closed because “good idea, but we are not adding it to the roadmap yet” and then seemingly forgotten.
Either providing a service similar to Certbot or allowing new certificates to be added/configured via an API would be great. Failing all that, allowing certificates to be shared between environments (we have a wildcard) would be an improvement over having to copy/paste the same certificate multiple times.
Would be nice if there would be some action on this part. It is a very annoying manual process...
Definitely a must! Configuring an SSL certificate manually is like the stone age 😉