SSL/TLS Certificate Management
Strengthen security through automated certificate management.
Let's Encrypt Automation
Automatic Issuance
- ACME v2 protocol support
- Wildcard certificate issuance via DNS-01 challenge
- Multi-domain (SAN) certificate support
Automatic Renewal
- Renewal timing: Automatic renewal 30 days before expiration
- Check interval: Expiration checked every 6 hours
- Renewal history: All renewal attempts are recorded
Staging Mode
Provides a test environment to avoid Let's Encrypt rate limits.
# .env configuration
ACME_STAGING=true # Staging (test)
ACME_STAGING=false # Production
DNS Provider Support
A variety of DNS providers are supported for the DNS-01 challenge.
Supported Providers
| Provider | Configuration Fields |
|---|---|
| Cloudflare | API Token (recommended) or Global API Key + Email, Zone ID (optional) |
| Route53 (AWS) | Access Key ID, Secret Access Key, Region (optional), Hosted Zone ID (optional) |
| DuckDNS | Token |
| Dynu | API Key |
| Manual | No credentials required (add the TXT record manually) |
Note: These five are the DNS-01 providers actually selectable in the NPG UI. NPG uses go-acme/lego under the hood, and lego itself supports dozens of DNS providers, but NPG currently exposes only Cloudflare, Route53, DuckDNS, Dynu, and Manual.
Provider Configuration
- Create a DNS provider
- Enter API credentials
- Test the credentials
- Set as default provider (optional)
Credential Testing
Test the connection before saving the provider to confirm the configuration is correct.
Custom Certificates
Certificate Upload
You can upload and use an existing certificate.
- Certificate (cert.pem): Server certificate
- Private Key (key.pem): Private key file
- Chain Certificate (chain.pem): Intermediate certificate (optional)
Self-Signed Certificates
Generate a self-signed certificate for test environments.
- Specify the domain
- Set the validity period
- Generate instantly
HTTP/3 (QUIC) Support
Protocol Support
| Protocol | Status | Features |
|---|---|---|
| HTTP/1.1 | Supported | Baseline compatibility |
| HTTP/2 | Enabled by default | Multiplexing, header compression |
| HTTP/3 | Supported | UDP-based, fast connections |
HTTP/3 Configuration
HTTP/3 uses UDP port 443.
# docker-compose.yml
ports:
- "443:443/tcp" # HTTP/1.1, HTTP/2
- "443:443/udp" # HTTP/3 (QUIC)
Certificate Monitoring
Expiration Checks
- View certificates expiring within 30 days
- Dashboard notifications
- Email notifications (when configured)
Certificate Status
| Status | Description |
|---|---|
| Valid | Operating normally |
| Expiring Soon | Expires within 30 days |
| Expired | Certificate has expired |
| Renewal Failed | Automatic renewal failed |
Renewal History
All certificate issuance and renewal history is recorded.
- Issuance/renewal time
- Success/failure status
- Error message (on failure)
TLS Security Settings
Protocol Versions
- Only TLS 1.2 and higher allowed
- TLS 1.0/1.1 disabled (security vulnerabilities)
Cipher Suites
Only strong encryption algorithms are allowed.
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
OCSP Stapling
- Optimizes certificate status checks
- Reduces client latency
- Enabled by default
HSTS (HTTP Strict Transport Security)
Enforces the use of HTTPS.
| Setting | Description |
|---|---|
| max-age | HSTS validity period (seconds) |
| includeSubDomains | Include subdomains |
| preload | Register on the HSTS Preload List |
Post-Quantum TLS
NPG supports hybrid key exchange to protect against future quantum-computer attacks. It combines a classical (elliptic-curve) key exchange with a post-quantum algorithm (ML-KEM), defending against "harvest now, decrypt later" attacks where traffic captured today is decrypted with a quantum computer in the future.
How It Works
NPG includes X25519MLKEM768 in the ssl_ecdh_curve setting by default. Because this is a hybrid (X25519 + ML-KEM-768) construction, classical clients that do not support ML-KEM automatically negotiate a classical curve such as X25519 and still connect normally.
ssl_ecdh_curve X25519MLKEM768:X25519:secp256r1:secp384r1;
How to Enable
You can adjust the value in the ECDH Curve field of the global SSL settings. The default is:
X25519MLKEM768:X25519:secp256r1:secp384r1
Curves earlier in the list are preferred during negotiation, so keeping X25519MLKEM768 first means supported clients use the post-quantum hybrid key exchange.
Requirements
| Item | Requirement |
|---|---|
| Server | OpenSSL 3.5 or later (bundled with the NPG build) |
| Client | A modern browser/client that supports ML-KEM hybrid key exchange |
| Unsupported clients | Automatically fall back to a classical curve (connection preserved) |
Note: Because the exchange is hybrid, clients without post-quantum support continue to work. There is no need to disable it — keeping the default is recommended.
Troubleshooting
Certificate Issuance Failure
-
Check DNS settings
- Verify the domain points to the server IP
- Wait for DNS propagation (up to 48 hours)
-
Check DNS provider credentials
- Verify API token permissions
- Zone edit permission is required
-
Check rate limits
- Check whether the Let's Encrypt rate limit has been reached
- Test with staging mode first
-
Check logs
docker logs npg-api | grep -i cert
Renewal Failure
- Check the DNS provider connection status
- Check whether the API token has expired
- Verify domain ownership
SSL Errors
- ERR_CERT_INVALID: Check certificate validity
- ERR_SSL_VERSION_OR_CIPHER_MISMATCH: Check TLS settings
- ERR_CERT_DATE_INVALID: Check certificate expiration