Skip to main content


  • Environmental Variable: AUTOCERT
  • Config File Key: autocert
  • Type: bool
  • Optional

Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from Let's Encrypt which includes managed routes and the authenticate service. Autocert Directory must be used with Autocert must have a place to persist, and share certificate data between services. Note that autocert also provides OCSP stapling.

This setting can be useful in situations where you may not have Pomerium behind a TLS terminating ingress or proxy that is already handling your public certificates on your behalf.


By using autocert, you agree to the Let's Encrypt Subscriber Agreement. There are strict usage limits per domain you should be aware of. Consider testing with autocert_use_staging first.


Autocert requires that ports 80/443 be accessible from the internet in order to complete a TLS-ALPN-01 challenge.