Generate Let's Encrypt Certificates
Secure your custom domains with free TLS certificates from Let's Encrypt.
When to use this: Manual certificate generation is only needed for TLS tunnels. HTTP tunnels automatically generate and renew certificates for you.
Docker Users: You must expose port 54538, and you should mount a volume to persist certificates. Without persistence, you'll hit Let's Encrypt's rate limit (5 certificates per domain per week) after just 5 container restarts. See our Docker documentation for complete setup.
Prerequisites
Before generating a certificate, ensure you have:
- A paid LocalXpose subscription (opens in a new tab)
- A custom domain reserved with LocalXpose (see custom domain setup)
- Port 54538 available for the HTTP-01 challenge
- Write access to store the generated certificate files
Generate the Certificate
Standard Installation
loclx domain letsencrypt --domain yourdomain.example.com
This command will:
- Request a certificate from Let's Encrypt
- Complete the HTTP-01 challenge on port 54538
- Save the certificate and key files to your LocalXpose configuration directory
Docker Installation
# Mount a volume for persistence and expose the challenge port
docker run -v $(pwd)/lx-data:/home/nonroot/.localxpose \
-p 54538:54538 \
-e LX_ACCESS_TOKEN \
localxpose/localxpose:latest \
domain letsencrypt --domain yourdomain.example.com
Use the Certificate
Once generated, start a TLS tunnel with your certificate:
loclx tunnel tls \
--reserved-domain yourdomain.example.com \
--crt ~/.localxpose/yourdomain.example.com-cert.pem \
--key ~/.localxpose/yourdomain.example.com-key.pem \
--to localhost:443
Certificate Location:
Certificates are saved in your LocalXpose configuration directory:
- Certificate:
~/.localxpose/[domain]-cert.pem
- Private Key:
~/.localxpose/[domain]-key.pem
Certificate Management
Renewal
Let's Encrypt certificates are valid for 90 days. To renew, you can remove/rename any existing certs in ~/.localxpose
and then simply run the same command again:
loclx domain letsencrypt --domain yourdomain.example.com
Rate Limits
Be aware of Let's Encrypt rate limits:
- 5 certificates per unique domain per 7 days
- 34-hour wait between additional certificate requests after hitting the limit
- Test with non-production subdomains to avoid exhausting your quota
Verification
Your tunnel is now secured with a valid TLS certificate. Users can access your service via HTTPS with full browser trust.
Related Documentation
Need help with certificates?
Our support team can assist with TLS passthrough, certificate errors, and advanced configurations.
Contact us at hello@localxpose.io, and check our troubleshooting guide.
Note: Custom domains and TLS tunnels require a paid LocalXpose subscription.
Connect any device • Cancel any time