Skip to content

TLS certificates

TLS is automatic. Every hostname managed.dev serves — your custom domains, your preview URLs, and every branch environment — gets a certificate that’s issued and renewed for you. There’s no certificate to upload, no cron job to renew it, and no window where the site falls back to plain HTTP. The first request after a domain is verified is already HTTPS.

When you attach and verify a custom domain, managed.dev requests a certificate for that hostname from a public ACME certificate authority, installs it on the runtime, and serves HTTPS. Renewal happens automatically well before expiry, so certificates never lapse. HTTP is redirected to HTTPS for you — see redirects — so visitors who type http:// land on the secure site.

This applies uniformly:

  • Production custom domainsexample.com, www.example.com, and any other hostnames you attach.
  • Preview URLs — the *.preview.managed.dev address every site gets.
  • Branch environments — the per-node hostnames under <env>.<node-label>.<zone>.

Branch environments are ephemeral and plentiful. If every preview environment requested its own certificate from the ACME CA, a busy team pushing dozens of branches would burn through issuance quota and rate limits fast — and pay it in slow first requests while each cert was minted.

Instead, managed.dev issues a per-node wildcard certificate that covers all environment hostnames on that node, using the DNS-01 ACME challenge. DNS-01 proves control of the domain by writing a temporary TXT record into the zone rather than serving a file over HTTP, which is the only challenge type that can validate a wildcard. One wildcard per node covers every ephemeral environment that lands there, so spinning up a new preview environment is instant — the certificate already exists.

You don’t:

  • generate a CSR or private key,
  • buy, upload, or install a certificate,
  • track expiry dates or run a renewal job,
  • configure cipher suites, protocol versions, or OCSP stapling,
  • redirect HTTP to HTTPS by hand — it’s on by default.

The runtime (FrankenPHP / Caddy) terminates TLS with sane, modern defaults, and managed.dev keeps the certificates fresh underneath it.

For almost every site the automatic path is what you want: it’s one less secret to rotate and one less thing that can expire silently at 2am.