TLS & ACME
Fluxheim can serve TLS with static certificates or manage ACME certificates for you.
Managed certificates
[[vhosts]]
name = "site"
hosts = ["example.com"]
[vhosts.tls]
acme = true
email = "admin@example.com"
storage = "/var/lib/fluxheim/acme"TLS choices
| Choice | Use it when |
|---|---|
rustls | You want the normal memory-safe TLS path. |
openssl | You need an OpenSSL provider boundary. |
modern | Only modern TLS clients must connect. |
intermediate | You want the default production compatibility profile. |
compat | You must keep TLS 1.2 compatibility explicit. |
Static certificate example
[server]
tls_listen = ["0.0.0.0:8443"]
[[vhosts]]
name = "site"
hosts = ["example.com"]
[vhosts.tls]
cert_path = "/etc/fluxheim/tls/fullchain.pem"
key_path = "/etc/fluxheim/tls/privkey.pem"Before enabling ACME
- Make sure public DNS points to this server.
- Allow HTTP-01 or TLS-ALPN-01 challenge traffic.
- Mount ACME state as persistent writable storage.
- Use externally issued certificates for strict FIPS or ISO-required boundaries.