All Lobster Cloud systems are secured with SSL/TLS certificates. This page explains the standard certificate provisioning via Let's Encrypt, how to use your certificates, and the special requirements for AS2 communication and High Availability environments.
Standard certificates (Let's Encrypt)
All Lobster Cloud systems are equipped with SSL certificates issued by Let's Encrypt. Lobster uses the Cert-Bot integrated into the Lobster Data Platform for automated certificate management. No other certificate managers or external certificate services are used by default.
Aspect | Details |
|---|---|
Certificate authority | Let's Encrypt |
Scope | Each server component (DMZ, internal server, DEV) receives its own dedicated SSL certificate. |
Renewal | Certificates are automatically renewed approximately every 90 days. No action required from your side. |
Port requirement | Port 80 must remain open for Let's Encrypt domain validation. This is configured automatically during installation. |
Cost | Included in your Lobster Cloud subscription at no additional charge. |
How It Works
The certificate issuance process follows these steps.
Step | Description |
|---|---|
1 | The Lobster Data Platform sends a certificate request to Let's Encrypt. |
2 | Let's Encrypt performs domain validation by accessing a specific URL on Port 80 of your system. |
3 | After successful validation, the certificate is issued and sent back to the system. |
4 | The Lobster Data Platform installs the certificate automatically and begins using it for all HTTPS communication. |
All HTTP traffic on Port 80 is automatically redirected to HTTPS on Port 443. The only exception is the Let's Encrypt validation path (/.well-known/*), which must remain accessible via HTTP for the renewal process.
Custom certificates
You have the option to use your own SSL certificates from a trusted certification authority instead of the standard Let's Encrypt certificates. This is recommended if you use your own DNS names or have specific certificate requirements.
Aspect | Details |
|---|---|
Purchase | You must purchase the certificate independently from a certification authority of your choice. |
Installation | You install the certificate yourself within the Lobster Data Platform. |
Renewal | Custom certificates are typically valid for one year. You are responsible for renewal and reinstallation before expiry. |
Lobster does not sell certificates | Lobster does not act as a certificate reseller or intermediary. |
Custom certificates with custom DNS names
If you use your own DNS names instead of the standard .lobster-cloud.com names, you must provide SSL certificates that match your custom domain. You have two options:
Option | Description |
|---|---|
Configure the Cert-Bot | Set up the Let's Encrypt Cert-Bot within the Lobster Data Platform to automatically issue and renew certificates for your custom DNS names. |
Use your own certificates | Purchase and install a certificate for your custom domain. You manage renewal yourself. |
You can find everything regarding DNS here: DNS Configuration
AS2 communication
Let's Encrypt certificates are not suitable for AS2 communication. This is because Let's Encrypt certificates are renewed every 90 days, which can cause issues with AS2 partner configurations that rely on a stable certificate.
Option | Description |
|---|---|
Self-signed certificate (recommended) | You can generate a self-signed certificate directly within the Lobster Data Platform and use it for AS2 communication. This is the recommended approach. |
Own certificate from a trusted CA | You can purchase and install your certificate from a trusted certification authority for AS2. You manage renewal yourself. |
High Availability Environments
Certificates in High Availability environments require special consideration because multiple server components need to be secured.
Standard Lobster DNS names
Let's Encrypt certificates work in HA environments when you use the standard .lobster-cloud.com DNS names. The Cert-Bot handles certificate issuance and renewal for all HA components automatically.
Custom DNS names in HA environments
If you use your own DNS names in an HA environment, the following certificate types are recommended:
Certificate type | Description |
|---|---|
Multi-domain certificate (SAN) | A single certificate that covers multiple domain names. Suitable if you have a defined set of hostnames for your HA components. |
Wildcard certificate | A certificate that covers all subdomains of a given domain (for example, *.yourdomain.com). Simplifies certificate management in HA setups. |
You are responsible for purchasing, installing, and renewing custom certificates in HA environments. You can find everything regarding DNS here: DNS Configuration.
HTTPS redirection
All Lobster Cloud systems enforce HTTPS by default. The system is configured as follows:
Rule | Description |
|---|---|
HTTP to HTTPS redirect | All incoming requests on Port 80 (HTTP) are automatically redirected to Port 443 (HTTPS). |
Let's Encrypt exception | The validation path /.well-known/* remains accessible via HTTP (Port 80) to allow Let's Encrypt domain verification. |
This configuration ensures that all communication with your Lobster Cloud system is encrypted.
Summary
Scenario | Recommended certificate |
|---|---|
Standard DNS names (.lobster-cloud.com) | Let's Encrypt (automatic, no action required) |
Custom DNS names | your |
AS2 communication | Self-signed certificate or own certificate from a trusted CA |
High Availability with Standard DNS | Let's Encrypt (automatic) |
High Availability with Custom DNS | Multi-domain or wildcard certificate |