Feature
HTTPS by default
Every domain you point at SecureRedirector gets an automatically provisioned Let's Encrypt certificate. No manual ACME dance, no copy-pasting nginx configs, no expired-cert pages on a Saturday morning.
How provisioning works
When you add a domain in the management portal, the cron-driven
provisioner picks it up within minutes and runs an
install_new_site.sh step that:
- Generates an nginx site config from the SecureRedirector template, substituting your domain.
- Tests the nginx config and reloads nginx if the test passes.
- Calls
certbot --nginxto provision the certificate via the HTTP-01 challenge. - Adds HTTP/2 to the site config and reloads once more.
First-time provisioning typically completes inside two minutes. Subsequent runs are a no-op — existing sites are not overwritten by the cron.
Automatic renewal
Certbot installs a systemd timer that renews every certificate before expiration. Renewal failures are logged and surfaced in the deployment health-check output, so a broken renewal shows up in operations review before it shows up as a browser warning.
CDN compatibility
Domains validated over HTTP-01 work behind Cloudflare and other reverse-proxy CDNs. If your DNS points at a CDN first, you can still bring the domain online without breaking in-flight traffic — the validation goes through the proxy and back to SecureRedirector's origin.
What you don't have to do
- Track certificate expirations in a spreadsheet.
- Manually run
certbot renew. - Touch nginx for routine domain adds.
- Worry about the difference between staging and production ACME endpoints.
Bring your own certificate (if you need to)
Some domains can't use Let's Encrypt — internal CA chains, EV certificates for high-trust contexts, or wildcard certs you manage centrally. For self-hosted deployments, you can drop your own cert and key into the nginx site config and disable the automated provisioner for that domain. Hosted plans handle this via support.