Docs / Self-Hosted / Auto-TLS

Auto-TLS

Automatic Let's Encrypt certificates with zero configuration.

How it works

By default, atomic init obtains a TLS certificate from Let’s Encrypt using the HTTP-01 challenge. The only requirement is that ports 80 and 443 are reachable from the internet.

The certificate renews automatically. Atomic watches the cert files and hot-reloads when they change.

Requirements

  • Port 80 open (for HTTP-01 challenge)
  • Port 443 open (for HTTPS)
  • Domain A record pointing to the server’s public IP

TLS modes

# Auto (default) -- Let's Encrypt via acme.sh
atomic init --domain agent.example.com

# BYO cert
atomic init --domain agent.example.com \
  --tls-cert /path/to/cert.pem \
  --tls-key /path/to/key.pem

# No TLS (dev only)
atomic init --domain localhost --no-tls

Certificate location

Auto-TLS certificates are stored in ~/.atomic/tls/. The server checks for updated certs every 12 hours and reloads without downtime.

Previous Server Setup Next CLI Reference