- Environmental Variable:
- Config File Key:
Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from Let's Encrypt which includes managed routes and the authenticate service. Autocert Directory must be used with Autocert must have a place to persist, and share certificate data between services. Note that autocert also provides OCSP stapling.
This setting can be useful in situations where you may not have Pomerium behind a TLS terminating ingress or proxy that is already handling your public certificates on your behalf.
Autocert will incorporate certificates available in the system trust store and those set manually in the Pomerium configuration, and they will take precedence over generated certificates when applicable to configured routes.
Autocert will attempt
TLS-ALPN-01 challenges. It does not support
DNS-01 challenges, required to generate wildcard certificates.
Kubernetes users should not use autocert. See cert-manager's guide instead.
Autocert requires that port
443 be accessible from the internet in order to complete a TLS-ALPN-01 challenge or port
80 in order to complete an HTTP-01 challenge (https://letsencrypt.org/docs/challenge-types/#tls-alpn-01).