Umbraco Latch

    All new projects on Umbraco Cloud are automatically protected by Umbraco Latch. This means, that the default Umbraco Cloud URL for your project as well as any new hostnames you add will be assigned a TLS certificate automatically.

    Adding a hostname

    In order for Umbraco Latch to be applied to your hostname, you need to make sure that your DNS has been setup one of these ways:

    • CNAME pointing at the Cloud URL mysite.s1.umbraco.io
    • A Record pointing at the Cloud IP: 23.100.15.180

    Learn more about our recommendations for DNS records in the Manage Hostnames article.

    HTTPS by default

    All new Live sites created on Cloud since version 7.12 will automagically have a permanent redirect (301) from HTTP to HTTPS. This is achieved by a web.config transform called: Latch.Web.live.xdt.config - accessible in your git repository. If you'd like to remove the redirect rule (which we and others strongly discourage) you'll need to remove the file Latch.Web.live.xdt.config from projects repository and push the change to Cloud.

    Latch and CDN

    You will not get an Umbraco Latch certificate if you are using a CDN service (e.g. CloudFlare) on your Umbraco Cloud project.

    In that case you can manually add a TLS certificate to your project instead. Read more about how to do that in the Upload certificates manually article.

    Umbraco Latch can issue 5 certificates for a single domain per week. If this limit is exceeded, you will have to wait a week in order to regenerate the certificate for the domain.

    The generation process might freeze (e.g. Initial > DnsApproved > ChallengeFileWritten > Initial) when your DNS provider has both an IPv4 and IPv6 IP address. Unfortunately, Latch doesn't support IPv6 but Lets Encrypt will take that over IPv4 when it's there. In order to resolve this, you will need to disable IPv6 for that domain.

    Status definitions

    When Umbraco Latch is issuing a certificate for one of your hostnames it goes through the following states:

    • Initial
    • DnsApproved
    • NoRewrites
    • AcmeRequested
    • ChallengeFileWritten
    • AcmeVerified
    • PfxGenerated
    • CertificateInstalled
    • Protected by LATCH

    It can take up to 30minutes for the certificate to be issued. Once you see the Protected by Latch your site is secure.

    Bad states

    If issuing a certificate to a hostname fails, it will end up in one of the following states:

    Dns Misconfigured

    This means that there is an issue with how the DNS for the provided hostname has been configured. Umbraco Latch will not be able to issue a certificate before the DNS configuration is fixed.

    Learn more about how the setup hostnames for Umbraco Cloud in the Manage Hostnames article.

    Rewrites Error

    If you see this state on your hostname, it means that there is an issue with some of your rewrites that needs to be resolved before a certificate can be issued.

    When redirecting all requests from HTTP to HTTPS, you will need to add the following condition to the rewrite rule:

    <add input="{REQUEST_URI}" negate="true" pattern="^/\.well-known/acme-challenge" />
    

    Read more about best practices with rewrites on Umbraco Cloud in the Rewrites on Umbraco Cloud article.

    Special Characters

    There are some special characters that Umbraco Latch does not accept when issuing certificates. If you are seeing the Special Characters state next to your hostname, it means that you are using some special characters that are not allowed.

    Do you need to add the hostname, we recommend setting up CDN and upload a manual certificate.

    Tried 5 times

    This is the state you will see next to your hostname if Umbraco Latch has tried issuing a certificate 5 times, which is the limit per week.

    If you see this state, you will need to wait a week, before Umbraco Latch can assign a certificate to your hostname.

    Read more