TLS / HTTPS
Pipebase ships with Traefik labels that ask Coolify (or whichever Traefik is on your reverse-proxy network) to provision Let’s Encrypt certificates automatically.
What you need
Section titled “What you need”LETSENCRYPT_EMAILset in.env(init.sh prompts for it)- Traefik running on the
coolifynetwork with the standardletsencryptresolver - Ports 80 and 443 reachable from the public internet
How it works
Section titled “How it works”When Traefik sees the traefik.http.routers.*.tls.certresolver=letsencrypt
label on a Pipebase container, it:
- Listens for incoming HTTPS requests on the configured Host rule
- On first hit (or 5min before expiry), kicks off an HTTP-01 challenge over port 80
- Persists the issued certificate in its
acme.json
You don’t run certbot yourself.
Troubleshooting
Section titled “Troubleshooting””Failed to obtain certificate”
Section titled “”Failed to obtain certificate””Almost always one of:
- DNS hasn’t propagated yet. Check with
dig +short designer.<your-root>. Wait 5 min, retry. - Port 80 isn’t reachable. Let’s Encrypt’s HTTP-01 challenge needs
port 80 inbound. Check your firewall (
ufw status/ cloud security group). Coolify’s Traefik already binds it; if you run your own Traefik, expose80:80and443:443. - Rate limit. Let’s Encrypt limits 5 failed validations per hostname per hour. If you’ve been thrashing, wait 60min before the next attempt.
LETSENCRYPT_EMAILis unset. Traefik refuses to register without a contact email.
To inspect Traefik’s verdict:
docker logs <traefik-container> 2>&1 | grep -i "designer\|acme\|certificate"Custom CA / staging
Section titled “Custom CA / staging”For non-prod environments where you want self-signed or staging certs,
override the certresolver label per service. Out of scope here — see
Traefik’s ACME docs.