TLS Options¶

Finch uses Traefik as its reverse proxy and TLS termination point. Three TLS modes are available, selected at deploy time.

Self-signed (default)¶

No additional flags are needed. Traefik generates a self-signed certificate automatically on first start.

finchctl service deploy \
  --service.host finch.example.com \
  root@10.19.80.100

This is the quickest way to get started, but browsers and tools will show a certificate warning because the certificate is not issued by a trusted authority.

For finchctl to connect to a self-signed stack without errors, pass --tls.skip-verify:

finchctl --tls.skip-verify service info finch.example.com

Let's Encrypt¶

Traefik obtains and automatically renews a certificate from Let's Encrypt using the HTTP-01 ACME challenge.

finchctl service deploy \
  --service.letsencrypt \
  --service.letsencrypt.email admin@example.com \
  root@finch.example.com

Requirements:

• Port 80 must be publicly reachable on the server (used for the ACME challenge).
• The hostname passed to service deploy must resolve to the server's IP address in public DNS.
• A valid email address is required for Let's Encrypt account registration and expiry notifications.

Certificate renewal is handled automatically by Traefik. No manual rotation or service update is needed.

Custom certificate¶

Provide your own certificate and private key files. They are copied to the server's Traefik configuration directory.

finchctl service deploy \
  --service.customtls \
  --service.customtls.cert /path/to/cert.pem \
  --service.customtls.key  /path/to/key.pem \
  root@finch.example.com

Both files must be PEM-encoded. The certificate file may contain the full chain (server certificate + intermediate CAs).

Updating a custom certificate¶

When a custom certificate expires or is renewed, use service update to push the new files:

finchctl service update \
  --service.customtls \
  --service.customtls.cert /path/to/new-cert.pem \
  --service.customtls.key  /path/to/new-key.pem \
  root@finch.example.com

Comparison¶