Back to Blog
team@tinypod.app

HTTPS Everywhere: How Let's Encrypt Changed Self-Hosting

Before Let's Encrypt, SSL certificates cost $50-200/year. Now HTTPS is free and automatic. Here's how it works.

httpsssllets-encryptsecurity

Before Let's Encrypt


SSL certificates were expensive ($50-200/year), complicated to install, and required manual renewal. Many self-hosted apps ran on plain HTTP — insecure, vulnerable to eavesdropping and man-in-the-middle attacks.


What Let's Encrypt Changed


Let's Encrypt is a free, automated Certificate Authority that launched in 2016. It provides:

  • Free SSL certificates
  • Automated issuance (no manual CSR generation)
  • Automated renewal (certificates last 90 days, renew automatically)
  • Domain validation (prove you control the domain, get a cert)

    • How It Works


    ACME Protocol

    Let's Encrypt uses the ACME (Automatic Certificate Management Environment) protocol:


    1. Your server requests a certificate for example.com

    2. Let's Encrypt provides a challenge (prove you control the domain)

    3. Your server solves the challenge (typically by serving a specific file on HTTP)

    4. Let's Encrypt verifies and issues the certificate

    5. Your server installs the certificate


    All automated. No human intervention.


    Challenge Types


    **HTTP-01**: Let's Encrypt asks your server to serve a specific file at /.well-known/acme-challenge/. Most common and simplest.


    **DNS-01**: Add a TXT record to your DNS. Required for wildcard certificates. Works even when port 80 is blocked.


    HTTPS with Caddy


    Caddy integrates Let's Encrypt natively:


    example.com {

    reverse_proxy localhost:3000

    }


    That's the entire configuration. Caddy:

    1. Detects a real domain name

    2. Requests a Let's Encrypt certificate

    3. Installs and configures it

    4. Redirects HTTP to HTTPS

    5. Renews automatically before expiration


    No certbot, no cron jobs, no manual renewal.


    Common Issues


    Port 80 Must Be Open

    HTTP-01 challenge requires port 80. Make sure your firewall allows it.


    DNS Must Point to Your Server

    Let's Encrypt connects to your domain to verify. If DNS doesn't resolve to your server, the challenge fails.


    Rate Limits

    Let's Encrypt limits to 50 certificates per domain per week. Unlikely to hit this in normal use.


    Wildcard Certificates

    Require DNS-01 challenge. Caddy supports this with DNS provider plugins.


    TinyPod and HTTPS


    TinyPod uses Caddy, so every application gets automatic HTTPS with zero configuration. Connect your domain, and SSL is handled immediately.