Back to Rivet

TLS & Certificates

website/src/content/docs/self-hosting/tls.mdx

2.3.2744 B
Original Source

Public CAs (Let's Encrypt, AWS ACM, and so on) work out of the box. You only need to read this page if you're running behind a corporate or private CA.

Rivet reads the operating system trust store (/etc/ssl/certs on Linux, Keychain on macOS, Schannel on Windows) for all outbound HTTPS. Operator-installed corporate CAs live there and are honored automatically.

To trust a private CA inside the official rivetdev/engine image, extend it the standard Debian way:

dockerfile
FROM rivetdev/engine:latest
COPY my-corp-ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

Rebuild and redeploy. The same approach works for any machine running a Rivet client: install the CA into the OS trust store and Rivet picks it up.