SSL Management

HTTPS by default — certificates handled automatically

When you deploy a project with Klystrr, SSL is part of the process. Certbot issues a Let's Encrypt certificate for your domain, Nginx or Apache is configured to serve HTTPS traffic, and you get a secure URL without touching the certificate chain manually.

Deploy with SSL today Read the SSL guide

The problem

SSL certificates are not hard to understand, but they are easy to get wrong — and the consequences are visible to every user. A browser warning, a mixed-content error, a certificate that expired without renewal, or an Nginx configuration that still serves HTTP on port 80 instead of redirecting to HTTPS.

The solution

Klystrr integrates SSL issuance into the deployment pipeline. After your application is deployed and the reverse proxy is configured, Klystrr invokes Certbot on your server to request a Let's Encrypt certificate. The Nginx or Apache configuration is updated automatically to serve HTTPS and redirect HTTP traffic.

Key features

Automatic SSL certificate management

Automatic Certificate Issuance via Certbot

Klystrr runs Certbot on your server after each deployment to issue or renew Let's Encrypt certificates. No manual invocation, no cron job to configure, no Certbot flags to memorize.

Nginx and Apache Support

Klystrr configures SSL for both Nginx and Apache reverse proxies. The appropriate server block or VirtualHost is written with HTTPS settings, including the HTTP-to-HTTPS redirect and HSTS headers.

Secure Default Domains

Every project deployed with Klystrr gets a default public URL at project-name.klystrr.app, served over HTTPS. SSL for these domains is managed centrally as part of the standard deployment flow.

SSL Status Visibility

The Klystrr dashboard shows the SSL status for each project — whether a certificate is active, when it was last issued, and whether there are any configuration errors. No SSH required.

Handling Common SSL Errors

When certificate issuance fails, Klystrr surfaces the error in the deployment log. Common causes — DNS not yet propagated, port 80 blocked, webroot misconfiguration — are reported with enough context to diagnose.

Certificate Renewal

Let's Encrypt certificates are valid for 90 days. Certbot's auto-renewal mechanism handles renewal on your server. Klystrr ensures Certbot is properly set up from the first deployment so the renewal job is always in place.

How it works

From HTTP to HTTPS in 7 steps

Deploy your application

Run a deployment through Klystrr. The application is started via PM2 and bound to a local port.

Reverse proxy configuration

Klystrr writes an Nginx or Apache configuration that proxies traffic from the domain (port 80 initially) to your application's local port.

DNS validation

For the certificate to issue, the domain must resolve to your server's IP address. For default klystrr.app subdomains, this is handled automatically. For custom domains, you must configure DNS records first.

Certificate request

Klystrr invokes Certbot via the webroot or HTTP-01 challenge method. Certbot contacts Let's Encrypt, validates domain ownership by serving a challenge file, and retrieves the certificate.

HTTPS configuration

Klystrr updates the Nginx or Apache configuration to use the issued certificate, enables HTTPS on port 443, and configures a permanent redirect from port 80.

SSL active

Your application is now accessible over HTTPS. The certificate is stored on your server under the standard Certbot path (/etc/letsencrypt/live/).

Renewal runs automatically

Certbot's renewal daemon or cron job renews the certificate before expiry. No manual intervention is required unless the server configuration changes.

Use cases

SSL in practice

New project, first deployment

You deploy a NestJS API for the first time. Klystrr deploys the code, configures Nginx, and issues an SSL certificate in the same deployment run. The API is available at https://your-api.klystrr.app within minutes.

Redeploying after code changes

When you redeploy after a code change, Klystrr checks the SSL status. If the certificate is still valid, it is left in place. If it is close to expiry or was revoked, Certbot renews it.

Multiple applications on the same server

Each Klystrr project has its own Nginx server block and its own Let's Encrypt certificate. Ten projects on the same VPS means ten separate certificates, each independently issued and renewed.

Debugging a failed certificate

A new project's SSL issuance fails because port 80 is blocked by a UFW rule. The Klystrr deployment log shows the Certbot error output. You open port 80 in UFW and redeploy — the certificate issues successfully.

Custom domain with DNS migration

You point a custom domain's A record to your server. Once DNS propagates, you trigger a redeployment in Klystrr, and Certbot issues the certificate for your custom domain.

SSL Certificate FAQ

Every application you deploy deserves HTTPS from day one.

Klystrr makes that the default, not an afterthought.

Deploy your first HTTPS project today — no credit card required

Your server runs the certificate. Klystrr just makes sure it gets set up correctly.