Configure TLS

Add TLS/HTTPS configuration to your project for secure domain access to:

Expose your TEE app using HTTPS.
Receive webhook events over HTTPS.
Serve web UIs securely.
Deploy to production with TLS.

EigenCompute enables TLS with Let's Encrypt using Caddyfile. To use an alternative certificate provider, configure in your Dockerfile.

TLS Environment Variables

Variable	Description	Required	Default
`DOMAIN`	Your domain name	Yes	-
`APP_PORT`	Port your app listens on	Yes	-
`ACME_STAGING`	Use Let's Encrypt staging	No	`false`
`ACME_FORCE_ISSUE`	Force certificate reissue	No	`false`
`ENABLE_CADDY_LOGS`	Enable Caddy debug logs	No	`false`

Add TLS Configuration

To add TLS configuration:

ecloud compute app configure tls

TLS configuration is added to your project:

TLS configuration added successfully

Created:
  - Caddyfile
  - .env.example.tls

To enable TLS:

1. Add TLS variables to .env:
   cat .env.example.tls >> .env

2. Configure required variables:
   DOMAIN=yourdomain.com
   APP_PORT=3000

   For first deployment (recommended):
   ENABLE_CADDY_LOGS=true
   ACME_STAGING=true

3. Set up DNS A record pointing to instance IP
   Run 'ecloud compute app info' to get IP address

4. Upgrade:
   ecloud compute app upgrade

Note: Let's Encrypt rate limit is 5 certificates/week per domain

Configure TLS and Test with Staging Certificates

Add TLS environment variables to .env:

cat .env.example.tls >> .env

Configure required variables:

# Required
DOMAIN=yourdomain.com
APP_PORT=3000

# Recommended for first deployment
ENABLE_CADDY_LOGS=true
ACME_STAGING=true  # Use staging certificates initially

tip

To avoid Let's Encrypt rate limits, always test with staging certificates first.

Configure DNS by creating an A record pointing to your instance IP:
- Type: A
- Name: yourdomain.com
- Value: Obtain IP address from ecloud compute app info
Deploy app with TLS configuration:

ecloud compute app upgrade

The configured TLS routes traffic from ports 80 and 443 to the APP_PORT.

Switch to Production Certificates

To switch from staging to production:

Force a reissue of certificates by updating the ACME_FORCE_ISSUE environment variable:

ACME_STAGING=false
ACME_FORCE_ISSUE=true  # Only needed once

Redeploy the app:

ecloud compute app upgrade

Disable the ACME_FORCE_ISSUE environment variable:

ACME_FORCE_ISSUE=false

Let's Encrypt Rate Limits

Let's Encrypt has a rate limit of 5 certificates per week per domain. Always test with staging certificates first.

Upgrading

You can update DOMAIN and APP_PORT in the environment file and upgrade without rebuilding the Docker image. If you change anything else in the Caddyfile itself, you must rebuild the image because the Caddyfile is embedded at build time.

Troubleshooting

DNS not propagating

Wait 5-10 minutes after DNS changes. Verify with:

dig yourdomain.com
nslookup yourdomain.com

Certificate issuance failing

Check logs:

ecloud compute app logs

Common issues:

DNS not pointing to correct IP.
Port 80/443 not accessible.
Domain already has certificates (use ACME_FORCE_ISSUE=true).

Rate limit exceeded

If you hit rate limits:

Wait a week for the limit to reset.
Use a different subdomain.
Consider using staging for development.

TLS Environment Variables​

Add TLS Configuration​

Configure TLS and Test with Staging Certificates​

Switch to Production Certificates​

Upgrading​

Troubleshooting​

DNS not propagating​

Certificate issuance failing​

Rate limit exceeded​