TLS & Certificates
NullBore supports automatic TLS via Let's Encrypt (ACME) — no manual certificate management needed.
Automatic TLS
Start the server with --tls-domain and certificates are provisioned automatically:
./nullbore-server \
--port 443 \
--tls-domain tunnel.yourdomain.com \
--tls-email admin@yourdomain.com \
--tls-cache /etc/nullbore/certs
On first request, NullBore:
- Requests a certificate from Let's Encrypt
- Completes the HTTP-01 challenge (port 80 must be reachable)
- Caches the certificate in
--tls-cachedirectory - Auto-renews before expiry
Per-subdomain certificates
When --base-domain is set, NullBore provisions individual certificates for each tunnel subdomain:
tunnel.yourdomain.com → cert provisioned on startup
myapp.tunnel.yourdomain.com → cert provisioned on first request
This uses HTTP-01 challenges, so each subdomain must resolve to your server's IP (wildcard DNS record).
Port 80
Let's Encrypt HTTP-01 challenges require port 80. NullBore automatically listens on port 80 for ACME challenges and redirects all other HTTP traffic to HTTPS.
Make sure your firewall allows ports 80 and 443:
ufw allow 80
ufw allow 443
Manual certificates
If you prefer to manage certificates yourself (e.g., behind a reverse proxy):
# Run without TLS, behind nginx/caddy
./nullbore-server --port 8080 --api-keys "$API_KEY"
Then configure your reverse proxy to handle TLS and forward to port 8080.
Certificate cache
Certificates are cached in the --tls-cache directory (default: ./certs). Back this directory up — losing it means re-provisioning all certificates, which is subject to Let's Encrypt rate limits.
Rate limits
Let's Encrypt has rate limits:
- 50 certificates per registered domain per week
- 5 duplicate certificates per week
For most deployments this is not an issue. If you expect hundreds of subdomains, consider using a wildcard certificate with DNS-01 challenges (requires DNS API access).