Generate Let's Encrypt Certificates

Secure your custom domains with free TLS certificates from Let's Encrypt.

Prerequisites

Before generating a certificate, ensure you have:

• A paid LocalXpose subscription (opens in a new tab)
• A custom domain reserved with LocalXpose (see custom domain setup)
• Port 54538 available for the HTTP-01 challenge
• Write access to store the generated certificate files

Generate the Certificate

Standard Installation

loclx domain letsencrypt --domain yourdomain.example.com

This command will:

1. Request a certificate from Let's Encrypt
2. Complete the HTTP-01 challenge on port 54538
3. Save the certificate and key files to your LocalXpose configuration directory

Docker Installation

# Mount a volume for persistence and expose the challenge port
docker run -v $(pwd)/lx-data:/home/nonroot/.localxpose \
    -p 54538:54538 \
    -e LX_ACCESS_TOKEN \
    localxpose/localxpose:latest \
    domain letsencrypt --domain yourdomain.example.com

Use the Certificate

Once generated, start a TLS tunnel with your certificate:

loclx tunnel tls \
    --reserved-domain yourdomain.example.com \
    --crt ~/.localxpose/yourdomain.example.com-cert.pem \
    --key ~/.localxpose/yourdomain.example.com-key.pem \
    --to localhost:443

Certificate Management

Renewal

Let's Encrypt certificates are valid for 90 days. To renew, you can remove/rename any existing certs in ~/.localxpose and then simply run the same command again:

loclx domain letsencrypt --domain yourdomain.example.com

Rate Limits

Be aware of Let's Encrypt rate limits:

• 5 certificates per unique domain per 7 days
• 34-hour wait between additional certificate requests after hitting the limit
• Test with non-production subdomains to avoid exhausting your quota

Verification

Your tunnel is now secured with a valid TLS certificate. Users can access your service via HTTPS with full browser trust.

Related Documentation

• Using LocalXpose with Traefik
• Custom Domain Setup
• Common Errors