SSL on Hetzner Cloud

Let's Encrypt with nginx, Traefik, or Caddy — complete setup guide

Prerequisites — Hetzner firewall rules

Let's Encrypt HTTP-01 challenge requires port 80 to be accessible. Ensure your Hetzner Cloud Firewall allows inbound TCP 80 and 443.

Hetzner Cloud Console → Firewall → Inbound rules:
  TCP  22   → Your IP only (SSH)
  TCP  80   → Any (Let's Encrypt challenge + HTTP redirect)
  TCP  443  → Any (HTTPS)

Option 1 — nginx + Certbot

sudo apt update && sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com
# Auto-renewal timer is installed automatically

Option 2 — Traefik (recommended for Docker)

services:
  traefik:
    image: traefik:v3
    command:
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.le.acme.email=you@example.com"
      - "--certificatesresolvers.le.acme.storage=/acme/acme.json"
      - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./acme:/acme"

Option 3 — Caddy (simplest)

# Caddyfile
yourdomain.com {
    reverse_proxy app:3000
    # SSL is automatic — Caddy handles Let's Encrypt
}

Monitor SSL expiry across all your Hetzner domains

Paste your domain list and get expiry dates, CDN detection, and 200-day validity flags at a glance.

Open SSL Checker →

Frequently Asked Questions

Does Hetzner offer managed SSL certificates?

Hetzner's Load Balancer includes managed SSL certificates. For individual servers, use Certbot, Traefik, or Caddy with Let's Encrypt. All are free and automatically renew.

What is the 200-day SSL certificate limit?

Apple and the CA/Browser Forum are phasing in shorter certificate validity. Let's Encrypt certificates are 90 days — well under the 200-day threshold. Commercial certificate authorities (DigiCert, Sectigo) still issue 1-year certificates that exceed the new limit.