SSL Certificates
Secure external traffic automatically with Let's Encrypt TLS/SSL certificates.
Dequel enforces HTTPS encryption for all public endpoints. The cluster edge routing layer manages keys, handshakes, and automatic certificate acquisitions behind the scenes.
How Certificates are Provisioned
Dequel interfaces directly with Let’s Encrypt (a free, automated, open Certificate Authority):
- When a custom domain is successfully verified, Dequel triggers Caddy’s ACME certificate client.
- Caddy performs an HTTP-01 challenge verification with Let’s Encrypt servers.
- Upon challenge completion, Let’s Encrypt signs a valid SSL certificate.
- Caddy saves the certificate to the cluster storage path and starts enforcing TLS/HTTPS handshakes.
Automatic Renewals
Let’s Encrypt certificates are valid for 90 days. Dequel’s router checks certificates once daily and schedules automatic renewals 30 days before expiration, ensuring zero downtime and avoiding manual keys management.
Dequel configures modern TLS 1.3 as the default cipher suite block, providing maximum security, fast TLS handshakes, and strict protection against legacy protocol exploits.
Troubleshooting SSL
If your domain status is stuck on PENDING_SSL:
- Verify that your DNS CNAME/A records have fully propagated.
- Ensure that no CDN service (e.g. Cloudflare proxy) is blocking HTTP ACME challenge endpoints (
/.well-known/acme-challenge/).