Generate Let's Encrypt Certificates

Secure your custom domains with free TLS certificates from Let's Encrypt.

When to use this: Manual certificate generation is only needed for TLS tunnels. HTTP tunnels automatically generate and renew certificates for you.

⚠️

Docker Users: You must expose port 54538, and you should mount a volume to persist certificates. Without persistence, you'll hit Let's Encrypt's rate limit (5 certificates per domain per week) after just 5 container restarts. See our Docker documentation for complete setup.

Prerequisites

Before generating a certificate, ensure you have:

Generate the Certificate

Standard Installation

loclx domain letsencrypt --domain yourdomain.example.com

This command will:

  1. Request a certificate from Let's Encrypt
  2. Complete the HTTP-01 challenge on port 54538
  3. Save the certificate and key files to your LocalXpose configuration directory

Docker Installation

# Mount a volume for persistence and expose the challenge port
docker run -v $(pwd)/lx-data:/home/nonroot/.localxpose \
    -p 54538:54538 \
    -e LX_ACCESS_TOKEN \
    localxpose/localxpose:latest \
    domain letsencrypt --domain yourdomain.example.com

Use the Certificate

Once generated, start a TLS tunnel with your certificate:

loclx tunnel tls \
    --reserved-domain yourdomain.example.com \
    --crt ~/.localxpose/yourdomain.example.com-cert.pem \
    --key ~/.localxpose/yourdomain.example.com-key.pem \
    --to localhost:443

Certificate Location:

Certificates are saved in your LocalXpose configuration directory:

  • Certificate: ~/.localxpose/[domain]-cert.pem
  • Private Key: ~/.localxpose/[domain]-key.pem

Certificate Management

Renewal

Let's Encrypt certificates are valid for 90 days. To renew, you can remove/rename any existing certs in ~/.localxpose and then simply run the same command again:

loclx domain letsencrypt --domain yourdomain.example.com

Rate Limits

Be aware of Let's Encrypt rate limits:

  • 5 certificates per unique domain per 7 days
  • 34-hour wait between additional certificate requests after hitting the limit
  • Test with non-production subdomains to avoid exhausting your quota

Verification

Your tunnel is now secured with a valid TLS certificate. Users can access your service via HTTPS with full browser trust.

Let's Encrypt Certificate in Browser via LocalXpose

Related Documentation


Need help with certificates?

Our support team can assist with TLS passthrough, certificate errors, and advanced configurations.

Contact us at hello@localxpose.io, and check our troubleshooting guide.

Note: Custom domains and TLS tunnels require a paid LocalXpose subscription.

    Connect any device • Cancel any time



8 The Green, Dover, Delaware, 19901 USA

hello@localxpose.io

2025 Freeport Cloud, Inc. All rights reserved.

Learn how we use cookies.

We contribute to Stripe's Climate program!

Product

FeaturesPricingDocumentationAppsAlternatives