Back to Blog
team@tinypod.app

Setting Up Automated SSL Certificates with Caddy

Caddy automatically provisions and renews SSL certificates. Zero-config HTTPS for all your self-hosted services.

caddysslhttpscertificates

Why Caddy for SSL?


Caddy automatically provisions SSL certificates from Let's Encrypt. No manual certificate management, no renewal scripts, no cron jobs.


How It Works


1. You configure a domain in Caddy

2. Caddy automatically requests a certificate from Let's Encrypt

3. Certificate is installed and configured

4. Caddy auto-renews before expiry

5. HTTP is automatically redirected to HTTPS


Caddyfile Example


gitea.example.com {

reverse_proxy localhost:3000

}


grafana.example.com {

reverse_proxy localhost:3001

}


That's it. Both domains get HTTPS automatically.


Caddy vs Nginx + Certbot


  • Caddy: HTTPS is automatic, config is simple
  • Nginx + Certbot: Manual setup, separate renewal cron, more control

    • Advanced Features


    Wildcard Certificates

    Use DNS challenge for *.example.com:

    *.example.com {

    tls {

    dns cloudflare {env.CF_API_TOKEN}

    }

    }


    Internal Certificates

    Caddy can act as an internal CA for services that don't need public certificates.


    On-Demand TLS

    Provision certificates on first request — useful for multi-tenant apps.


    Best Practices


  • Use HSTS headers
  • Enable OCSP stapling (Caddy does this by default)
  • Monitor certificate expiry with Uptime Kuma
  • Keep Caddy updated

    • Deployment


    On TinyPod, Caddy is the default reverse proxy. SSL certificates are handled automatically for every service you deploy.