Use this guide if you want Infram itself to expose HTTPS. If TLS is terminated at a reverse proxy, keep Infram on HTTP and follow Reverse Proxy.
Infram starts an HTTPS listener automatically when these files exist:
/app/data/certs/cert.pem(certificate chain)/app/data/certs/key.pem(private key)
When present, HTTP (SERVER_PORT, default 6989) and HTTPS (HTTPS_PORT, default 5878) can run in parallel.
services:
infram:
image: swissmakers/infram:latest
container_name: infram
restart: always
environment:
ENCRYPTION_KEY: "<replace-with-generated-key>"
HTTPS_PORT: "5878"
ports:
- "6989:6989"
- "5878:5878"
volumes:
- ./data:/app/data
- ./certs/cert.pem:/app/data/certs/cert.pem:ro
- ./certs/key.pem:/app/data/certs/key.pem:rosudo certbot certonly --standalone -d infram.example.com
install -m 644 /etc/letsencrypt/live/infram.example.com/fullchain.pem ./certs/cert.pem
install -m 600 /etc/letsencrypt/live/infram.example.com/privkey.pem ./certs/key.pemopenssl req -x509 -newkey rsa:4096 -sha256 -days 365 \
-nodes \
-keyout key.pem \
-out cert.pem \
-subj "/CN=infram.local"Warning
Self-signed certificates are suitable only for development and isolated test environments.
key.pem: readable only by the runtime account (recommended mode600)cert.pem: world-readable is acceptable (644)- Store cert material outside source control and managed backups where possible
- Renew certificate from your PKI provider.
- Replace
cert.pemandkey.pem. - Restart or recreate container to reload TLS material.
- Validate expiration date and chain from a client endpoint.
- Open
https://<host>:5878(or configuredHTTPS_PORT). - Verify browser trust chain and certificate subject/SAN.
- Confirm login and interactive sessions operate correctly over TLS.
- HTTPS not starting: verify both
cert.pemandkey.pemexist in/app/data/certs. - Invalid certificate in browser: ensure SAN/CN matches requested hostname.
- Permission denied: check private key ownership and mode on mounted file.