Skip to main content

Overview

Dokploy provides automatic SSL/TLS certificate management through Traefik integration. You can use free Let’s Encrypt certificates or bring your own custom certificates for secure HTTPS connections.

Automatic SSL

Free Let’s Encrypt certificates with auto-renewal

Custom Certificates

Use your own SSL certificates

Wildcard Support

Secure multiple subdomains with one certificate

SSL Certificate Types

Dokploy supports three certificate types:

Let’s Encrypt Configuration

Automatic HTTPS (HTTP-01 Challenge)

The default method works for most use cases:
1

Configure Domain

When adding a domain to your application:
  1. Enter your domain name (e.g., example.com)
  2. Select Let’s Encrypt as certificate type
  3. Ensure your domain’s DNS points to your server
2

Deploy

Dokploy automatically:
  • Requests certificate from Let’s Encrypt
  • Completes HTTP-01 challenge
  • Configures Traefik with the certificate
  • Redirects HTTP to HTTPS
3

Auto-Renewal

Certificates are automatically renewed 30 days before expiration.

DNS-01 Challenge (Wildcard Certificates)

For wildcard certificates (e.g., *.example.com):
traefik-config.yml
certificatesResolvers:
  letsencrypt:
    acme:
      email: [email protected]
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
DNS-01 requires API credentials for your DNS provider (Cloudflare, Route53, etc.).

Supported DNS Providers

Traefik supports 100+ DNS providers:
  • Cloudflare
  • AWS Route53
  • Google Cloud DNS
  • DigitalOcean
  • Namecheap
  • GoDaddy
  • And many more
See Traefik DNS providers for the full list.

Custom Certificates

Upload Certificate

1

Prepare Certificate Files

You need:
  • Certificate file (.crt or .pem)
  • Private key file (.key)
  • Optional: CA bundle/chain file
2

Add Certificate in Dokploy

Navigate to SettingsCertificatesAdd Certificate
name
string
required
A friendly name for the certificate
certificateData
string
required
The certificate content (PEM format)
privateKey
string
required
The private key content (PEM format)
certificateChain
string
Optional CA bundle/intermediate certificates
3

Assign to Domain

When configuring a domain:
  1. Select Custom as certificate type
  2. Choose your uploaded certificate
  3. Deploy

Using the API

Create Certificate
curl -X POST https://your-dokploy-instance.com/api/certificates.create \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "example-com-cert",
    "certificateData": "-----BEGIN CERTIFICATE-----\n...",
    "privateKey": "-----BEGIN PRIVATE KEY-----\n..."
  }'

Certificate Format

Certificates must be in PEM format:
certificate.crt
-----BEGIN CERTIFICATE-----
MIIFXzCCBEegAwIBAgISA1...
...
-----END CERTIFICATE-----
private.key
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQ...
...
-----END PRIVATE KEY-----
Never commit private keys to version control. Store them securely using environment variables or secret management tools.

Wildcard Certificates

Secure all subdomains with a single certificate:

Using Let’s Encrypt

  1. Configure DNS-01 challenge (see above)
  2. Add domain as *.example.com
  3. Dokploy requests wildcard certificate

Using Custom Certificate

  1. Obtain wildcard certificate from your CA
  2. Upload to Dokploy
  3. Use for all subdomains
Example Usage
services:
  app1:
    labels:
      - "traefik.http.routers.app1.rule=Host(`app1.example.com`)"
      - "traefik.http.routers.app1.tls=true"
  
  app2:
    labels:
      - "traefik.http.routers.app2.rule=Host(`app2.example.com`)"
      - "traefik.http.routers.app2.tls=true"
Both apps use the same *.example.com certificate.

Certificate Management

View Certificates

List Certificates
curl https://your-dokploy-instance.com/api/certificates.all \
  -H "Authorization: Bearer YOUR_API_KEY"

Update Certificate

  1. Go to SettingsCertificates
  2. Click on the certificate
  3. Upload new certificate/key
  4. Save changes

Certificate Renewal

Dokploy automatically renews Let’s Encrypt certificates:
  • Renewal starts 30 days before expiration
  • Multiple retry attempts if renewal fails
  • Email notifications on renewal failure
  • Zero downtime during renewal
For custom certificates:
  1. Obtain renewed certificate from your CA
  2. Update in Dokploy (via dashboard or API)
  3. Traefik hot-reloads without downtime
Set up monitoring alerts 30 days before expiration.

SSL/TLS Best Practices

Use Strong Ciphers

Configure Traefik with modern TLS 1.2+ and strong cipher suites

Enable HSTS

Force HTTPS with HTTP Strict Transport Security headers

Certificate Monitoring

Set up alerts for certificate expiration

Rotate Regularly

For custom certs, rotate annually or when compromised

Traefik TLS Configuration

traefik-static.yml
tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

HSTS Configuration

Add HSTS headers to force HTTPS:
docker-compose.yml
services:
  app:
    labels:
      - "traefik.http.middlewares.hsts.headers.stsSeconds=31536000"
      - "traefik.http.middlewares.hsts.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.hsts.headers.stsPreload=true"
      - "traefik.http.routers.app.middlewares=hsts"

Troubleshooting

Let’s Encrypt limits:
  • 50 certificates per registered domain per week
  • 5 duplicate certificates per week
Solutions:
  • Use staging environment for testing
  • Use wildcard certificates
  • Wait for rate limit reset (weekly)
  • Consider custom certificates
Common causes:
  • DNS not pointing to your server
  • Port 80 blocked by firewall
  • Traefik not accessible on port 80
  • Domain resolving to wrong IP
Verify:
curl http://your-domain.com/.well-known/acme-challenge/test
For custom certificates:
  • Include complete certificate chain
  • Verify certificate validity: openssl x509 -in cert.crt -text -noout
  • Check certificate matches domain
  • Ensure root CA is trusted
  • Verify TLS version compatibility
  • Check cipher suite support
  • Review Traefik logs: docker logs traefik
  • Test with: openssl s_client -connect domain:443
Check Traefik logs:
docker logs traefik | grep -i acme
Common issues:
  • DNS propagation delays
  • API credentials expired (DNS-01)
  • Rate limits
  • Network connectivity

Security Considerations

Critical Security Practices:
  1. Never expose private keys
  2. Use strong key sizes (2048-bit RSA minimum, 256-bit ECDSA)
  3. Rotate certificates before expiration
  4. Monitor certificate validity
  5. Use Let’s Encrypt when possible (automatic rotation)
  6. Enable OCSP stapling for revocation checking

Certificate Security Checklist

  • Private keys stored securely (not in git)
  • TLS 1.2 or higher enforced
  • Strong cipher suites configured
  • HSTS enabled
  • Certificate expiration monitoring
  • Auto-renewal configured
  • Regular security audits

Next Steps

Domains & Routing

Configure domain routing with SSL

Security

Additional security configuration

Traefik

Configure Traefik settings

Monitoring

Monitor SSL certificate status

Build docs developers (and LLMs) love

Get started for freeTalk to us