Fully Automatic Let's Encrypt Support and Custom Domains

By Girish on Friday, February 5th 2016

We are releasing support for custom domains today, thanks in large part to Let's Encrypt.

If you are wondering what a Cloudron is, please read this first. In short, the Cloudron is a managed Smartserver designed to run web applications. When you sign up, you can create a server with a domain name of your choice. From there on, installing web apps from our Cloudron Store is just a click away. Backups, updates, SSL certificates, security fixes are all taken care of.

Let's Encrypt

So far, you had to choose a subdomain under cloudron.me for your Cloudron. This limitation was because of the fact that automating SSL certificate creation, installation and renewal is extremely difficult. There's also the small matter that wild card certificates are quite expensive.

Enter Let's Encrypt, a new Certificate Authority, that not only makes it possible to fully automate certificate creation and renewal but also provides them for free!


The main requirement is that your custom domain must be hosted by Route53.

If you intend to use a brand new domain, we suggest simply purchasing the domain from Route53 itself. Doing so, will automatically setup your domain's nameservers to Route53.

If you have an existing domain, you have two choices:

  • Move your domain to use Route53 name servers by following this guide. If you are having trouble with this process, Chat or email us and we can help you out.

  • Alternately, if your DNS provider provides an automatable API, let us know and we will try to support it :-)

Once you have done the above, if you are an existing customer, just send us a mail and we will migrate your existing Cloudron to the new domain. All your data, apps and all configuration will be intact. That's the power of the Cloudron. Everything you do in a Cloudron is trivially relocatable.

For new customers, simply follow the instructions when creating a new Cloudron (FAQ).

Seeing is believing

Our very own chat server runs on a Cloudron :-) You are welcome to register and talk to us there.

How it works

The Cloudron Smartserver contains an implementation of the Acme specification. We use the Simple HTTP validation approach to get certificates from Let's Encrypt. (For the curious, when we started writing the code, DVSNI was not supported).

We also require your domain to be hosted on Route53. This allows us to automate the DNS management of your domain.

When you install a blog app at say blog.mydomain.com, we automatically setup the DNS records, and provision the Cloudron to validate against Let's Encrypt. Once validated, we get the certificate and install it. Lo and behold, you have a blog which is completely HTTPS (the Cloudron does not support HTTP anyway).

Certificate Renewal

Let's Encrypt certificates are only valid for 3 months. The Cloudron will automatically track all your certificates and renew them as required.

Certificate Reuse

If you delete an app, the certificates for the subdomain are still retained so that they can be reused (see certificate limits below). This is useful if you started out with an app in a subdomain but changed your mind and want to use another app in the same subdomain. For example, chat.mydomain.com can be switched over from Lets Chat to Rocket.Chat keeping the cert.

Certificate limits

Let's Encrypt only issues 5 certificates for a domain per week. This means that if you install more applications on your Cloudron, you will be unable to get certificates. For such situations, you can provide a fallback certificate to use in the settings page. Alternately, wait out a week so you can get more certs :-)