SSL Certificates

Piora integrates Let’s Encrypt through Traefik to provide free SSL/TLS certificates for all your domains automatically, with no manual configuration required.

Automatic SSL Certificates

How It Works

1. When you add a domain to an application, Traefik automatically requests a certificate from Let’s Encrypt
2. The HTTP-01 challenge is used to verify domain ownership
3. Once issued, the certificate is automatically applied to the domain
4. Certificates are auto-renewed 30 days before expiration

Fully Automated

You don’t need to manage any SSL certificates manually. Piora handles the entire lifecycle — requesting, installing, and renewing.

Certificate Details

Item	Description
Certificate Authority	Let’s Encrypt
Certificate Type	DV (Domain Validation)
Validity	90 days
Auto-renewal	30 days before expiration
Cost	Free

HTTPS Redirection

Piora automatically redirects all HTTP requests to HTTPS by default:

http://app.example.com → 301 → https://app.example.com

This ensures all traffic is transmitted over encrypted connections.

API Requests

The HTTP to HTTPS redirect uses a 301 permanent redirect. For API clients, we recommend using https:// URLs directly to avoid the extra redirect overhead.

Certificate Status

In the Piora dashboard, you can view the SSL certificate status for each domain:

Status	Description
Valid	Certificate is active and working
Requesting	Currently requesting from Let’s Encrypt
Renewing	Auto-renewal in progress
Failed	Request or renewal failed

Troubleshooting Certificate Failures

If an SSL certificate request fails, common causes include:

DNS Not Propagated

Let’s Encrypt requires HTTP-01 validation. Ensure DNS correctly points to your VPS:

# Check DNS records
dig +short yourdomain.com
# Should return your VPS IP

Port Not Open

The Let’s Encrypt validation process requires access to port 80:

# Confirm port 80 is open
sudo ufw status
# Ensure 80/tcp shows ALLOW

Rate Limits

Let’s Encrypt has rate limits:

• Maximum 50 certificates per domain per week
• Maximum 10 failed validations per IP per 3 hours

If you hit rate limits, wait before retrying.

Testing Note

Frequently deleting and recreating applications consumes Let’s Encrypt rate limit quota. We recommend reusing the same application during testing to avoid repeated certificate requests.

Custom SSL Certificates

While Let’s Encrypt free certificates are sufficient for most cases, you can use custom certificates if you have special needs (e.g., EV certificates or wildcard certificates).

Uploading Custom Certificates

1. Prepare your certificate file (.crt) and private key file (.key)
2. In the application’s SSL settings, select “Custom Certificate”
3. Upload the certificate and private key

Custom Certificate Renewal

When using custom certificates, you’re responsible for managing renewal. We recommend setting reminders to update before expiration.

TLS Versions

Traefik supports TLS 1.2 and TLS 1.3 by default:

TLS Version	Status
TLS 1.0	Not supported (insecure)
TLS 1.1	Not supported (insecure)
TLS 1.2	Supported
TLS 1.3	Supported (recommended)

This ensures modern encryption standards and security.