Appwrite uses Let'sEncrypt to auto-generate TLS certificates for your Appwrite instance to ensure your API traffic is appropriately encrypted. For Appwrite to properly generate certificates, a few conditions need to be met.
- You need to use a public-facing domain with a known TLD pointing to your Appwrite instance.
- Your _APP_ENV environment variable should be set for production mode. The default Appwrite setup comes with this predefined setting, so you should be OK unless you change it.
- You need to ensure you have a valid email address set on _APP_SYSTEM_SECURITY_EMAIL_ADDRESS. The default setup comes with firstname.lastname@example.org as the default value. While this address will work, it's recommended to change it to your own email.
- Currently, Appwrite is using the ACME HTTP challenge to issue an TLS certificate. This forces us to generate certificates for port 443 when the challenge itself is performed on port 80. At this point, other ports will not work. To overcome this limit, you can set Appwrite on a separate sub-domain or use your own certificate or proxy server in front of Appwrite.
In case you're still struggling with getting your certificate to work, check the Appwrite certificates worker log. You can do that with the following command:
docker-compose logs appwrite-worker-certificates
Dev Environment and Localhosts
You can't issue a signed certificate for localhost. This is because nobody uniquely owns that hostname and not an Appwrite specific limitation, just the way the internet works. By default, Appwrite will issue a self-signed certificate that is good enough for development.
When using a self-signed certificate, you should enable `client.setSelfSigned()` method in your SDK of choice. This will allow your application to trust and connect with your local Appwrite server.