Skip to content
dubby docs
🚧 These docs are a work in progress and may contain inaccuracies. Content is being actively reviewed and validated.

HTTPS & SSL

Dubby does not handle TLS directly — it serves HTTP on port 3000 and relies on a reverse proxy to terminate HTTPS. This page covers how to obtain and configure TLS certificates.

Caddy (automatic)

Section titled “Caddy (automatic)”

Caddy is the easiest path to HTTPS. It provisions and renews Let’s Encrypt certificates automatically with zero configuration:

dubby.example.com {
    reverse_proxy dubby:3000
}

No certificate files, no cron jobs, no renewal scripts. Caddy handles everything.

Requirements:

  • Port 80 and 443 must be reachable from the internet (for Let’s Encrypt HTTP-01 challenge)
  • DNS must point dubby.example.com to your server’s public IP

Let’s Encrypt with certbot (Nginx)

Section titled “Let’s Encrypt with certbot (Nginx)”

If you use Nginx, certbot can provision free certificates from Let’s Encrypt.

1. Install certbot

Section titled “1. Install certbot”
Terminal window
# Debian / Ubuntu
sudo apt install certbot python3-certbot-nginx


# Fedora
sudo dnf install certbot python3-certbot-nginx

2. Obtain a certificate

Section titled “2. Obtain a certificate”
Terminal window
sudo certbot --nginx -d dubby.example.com

Certbot modifies your Nginx config to add the ssl_certificate and ssl_certificate_key directives and sets up automatic renewal via a systemd timer.

3. Verify auto-renewal

Section titled “3. Verify auto-renewal”
Terminal window
sudo certbot renew --dry-run

Certbot renews certificates automatically before expiry (typically every 60–90 days).

Let’s Encrypt with Traefik

Section titled “Let’s Encrypt with Traefik”

Traefik has built-in ACME support. Add a certificate resolver to your static configuration:

certificatesResolvers:
  letsencrypt:
    acme:
      email: [email protected]
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

Then reference certresolver=letsencrypt on your router (see Reverse Proxy — Traefik).

Self-signed certificates (LAN only)

Section titled “Self-signed certificates (LAN only)”

For local-only access where you don’t need a publicly trusted certificate:

Terminal window
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout dubby.key -out dubby.crt \
  -subj "/CN=dubby.local"

Then configure your reverse proxy to use dubby.crt and dubby.key. Browsers will show a security warning since the certificate isn’t signed by a trusted CA.

Self-signed certificates are fine for testing or LAN access, but they don’t protect against man-in-the-middle attacks unless you manually trust the certificate on every client device.

DNS challenge (wildcard or no port 80)

Section titled “DNS challenge (wildcard or no port 80)”

If you can’t open port 80 (e.g., ISP blocks it) or want a wildcard certificate, use the DNS-01 challenge instead of HTTP-01. This works with any reverse proxy.

With certbot

Section titled “With certbot”
Terminal window
sudo certbot certonly --manual --preferred-challenges dns \
  -d dubby.example.com

Certbot prompts you to add a TXT record to your DNS. For automation, use a DNS plugin (e.g., certbot-dns-cloudflare).

With Caddy

Section titled “With Caddy”
dubby.example.com {
    tls {
        dns cloudflare {env.CF_API_TOKEN}
    }
    reverse_proxy dubby:3000
}

Requires the Caddy Cloudflare DNS module (or equivalent for your DNS provider).

Verifying HTTPS

Section titled “Verifying HTTPS”

After setup, confirm TLS is working:

Terminal window
curl -v https://dubby.example.com/health/

Look for SSL connection using TLS in the output. The health endpoint should return { "status": "ok" }.