Documentation
Publishing a site over public HTTPS
This page covers the full path from a working local site to a live public site with automatic HTTPS certificate management. Everlock handles certificate issuance and renewal through ACME (the same protocol used by Let's Encrypt) without any external tooling.
Prerequisites
Before you start, you need:
- an Everlock instance reachable from the internet on ports 80 and 443
- a domain name with a DNS
Arecord pointing at that server's IP - the site already created in Everlock (see Getting started with a Markdown site)
ACME certificate issuance uses the http-01 challenge, which means Everlock needs to be reachable on port 80 from Let's Encrypt's servers at the moment it requests a certificate. The domain must resolve to your server's public IP before you start.
Step 1 — Configure the HTTP frontend
Everlock's HTTP frontend reads its settings from config/frontend-http.toml inside the Everlock data directory. Create or edit that file:
listen_http = "0.0.0.0:80"
listen_https = "0.0.0.0:443"
acme_email = "ops@yourdomain.com"
redirect_http_to_https = true
| Field | Required | Purpose |
|---|---|---|
listen_http | Yes | Port for HTTP traffic and ACME challenges |
listen_https | Yes | Port for HTTPS traffic; triggers ACME when set |
acme_email | Yes for HTTPS | Contact email registered with the CA; used for renewal notices |
redirect_http_to_https | No | When true, HTTP requests redirect to HTTPS automatically |
Everlock will refuse to start HTTPS if acme_email is not set.
Step 2 — Map your domain to the site
In the admin console, add your public domain as a vhost on the site:
/site set my-docs vhost=docs.yourdomain.com
If the site backend is already running, this takes effect immediately without a restart. You can confirm the mapping with:
/site list
Expected output shape:
my-docs (store: my-docs, auth: public, mode: markdown)
vhosts: localhost, docs.yourdomain.com
clone: ssh://admin@localhost:2222/my-docs
Step 3 — Restart to apply frontend changes
Because you edited frontend-http.toml directly, you need to restart the Everlock process to pick up the new listener configuration:
# If running via systemd
systemctl restart everlock
# If running directly
kill <pid> && everlock serve
On startup, Everlock will:
- bind the HTTP listener on port 80
- bind the HTTPS listener on port 443
- detect which vhosts are public hostnames (not
localhost,*.local, or raw IP addresses) - request a certificate from Let's Encrypt for each public hostname
- serve HTTPS immediately once the certificate is issued
The first certificate request takes a few seconds. Everlock logs the outcome:
frontend-http: issuing or renewing certificate for docs.yourdomain.com
frontend-http: certificate persisted for docs.yourdomain.com
HTTPS server listening on https://0.0.0.0:443
How ACME works here
Everlock uses the http-01 challenge. Let's Encrypt sends a request to http://<your-domain>/.well-known/acme-challenge/<token> to verify that you control the domain. Everlock responds to this challenge automatically on the HTTP listener. No separate certbot, nginx, or external tool is involved.
The certificate and private key are stored in:
config/<hostname>/fullchain.pem
config/<hostname>/privkey.pem
Renewal is also automatic. Everlock checks the certificate expiry at startup and renews it if it expires within acme_renew_before_days (default: 30 days).
Using a staging CA for testing
Let's Encrypt's production CA has strict rate limits. When testing the setup, use the staging endpoint to avoid hitting those limits:
acme_directory = "https://acme-staging-v02.api.letsencrypt.org/directory"
Staging certificates are not trusted by browsers, but they let you verify that the whole issuance flow works before switching to production. Remove the acme_directory line (or set it to the production URL) when you're ready.
Local and development vhosts are never ACME-managed
Everlock automatically skips ACME for hosts that cannot have publicly trusted certificates:
localhost- anything ending in
.local(mDNS hostnames) - raw IP addresses
These vhosts are served over plain HTTP regardless of whether listen_https is configured. This means you can add localhost as a vhost for local development and docs.yourdomain.com for production, and Everlock handles each one correctly without any per-vhost configuration.
Multiple public domains
A single site can serve multiple public domains. Each gets its own certificate:
/site set my-docs vhost=docs.yourdomain.com
/site set my-docs vhost=www.yourdomain.com
Everlock issues and renews each certificate independently.
You can also run multiple separate sites on different domains from a single Everlock instance. See Multi-site setup for the full walkthrough.
Removing a public domain
/site unset my-docs vhost=docs.yourdomain.com
This removes the vhost mapping immediately without a restart. The certificate files on disk are not deleted, but they will not be renewed.