Force HTTPS with Let's Encrypt
🚀 Installation & Setup
·
Updated 1 month ago
Setup
Via the UI
The toggle sits in the route wizard in Step 2 — Transport.
- Create or edit a route
- In Step 2 enable the Force HTTPS toggle (default: on)
- Save
There is no additional configuration — Caddy handles everything automatically. See also the note above: in the current state the toggle has no switching effect.
Via the API
# Enable HTTPS
curl -X PUT https://gatecontrol.example.com/api/v1/routes/1 \
-H "Authorization: Bearer gc_..." \
-H "Content-Type: application/json" \
-d '{
"https_enabled": true
}'
Configuring the ACME email
The ACME email is set globally in the GateControl settings or via environment variable:
# In docker-compose.yml or .env
GC_CADDY_EMAIL=admin@example.com
# Optional alternative ACME CA (e.g. staging)
GC_CADDY_ACME_CA=https://acme-staging-v02.api.letsencrypt.org/directory
Important notes
- DNS must point correctly. The domain must point to the public IP of the GateControl server via A/AAAA record. Without correct DNS resolution the ACME challenge fails.
- Ports 80 and 443 must be open. Let's Encrypt uses port 80 for the HTTP-01 challenge. Port 443 is needed for HTTPS. Both ports must be reachable from outside.
- No Cloudflare proxy. If the domain sits behind the Cloudflare proxy (orange cloud), the HTTP-01 challenge fails. Use DNS Only (gray cloud) or switch to the DNS-01 challenge (not supported by GateControl).
- Watch out for rate limits. Let's Encrypt has rate limits: max 50 certificates per registered domain per week. With many subdomains this can become relevant.
- Certificates are stored in Caddy's data storage (
/data/caddy/) and survive container restarts. - If Force HTTPS is disabled in the UI, the route still remains reachable on
:443and Caddy keeps trying to fetch a certificate (see implementation note above). If a route should really only be reachable over HTTP, this must be enforced at the infrastructure level (reverse-proxy configuration / firewall).
Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
| Certificate is not issued | DNS does not point to the server | Check A record, use dig or nslookup |
| ACME challenge failed | Port 80 blocked | Check firewall / router, open port 80 |
| Too many certificates | Let's Encrypt rate limit | Wait 1 hour, then retry |
| Certificate expired | Caddy could not renew | Check Caddy logs, check DNS and port 80 |
See also
- guides/certificates.md — Manage certificates and debug errors
- concepts/routing.md — srv0 listener and host matching
- BACKEND-HTTPS.md — TLS on the Caddy-to-backend leg