Knitt
Documentation

SSL Certificates

Automatic HTTPS with SSL

SSL Certificates

Automatic HTTPS with Let's Encrypt SSL certificates for all projects and custom domains.

Overview

Every Knitt project gets automatic SSL/TLS certificates, ensuring all data is encrypted in transit. This applies to both default .knitt.app domains and custom domains.

SSL certificates are provided by Let's Encrypt, a free, automated, and open certificate authority. Certificates are automatically renewed before expiration, so you never have to worry about expired certificates.

How It Works

1. Automatic Provisioning

When you create a tenant or add a custom domain, Knitt automatically requests an SSL certificate from Let's Encrypt.

2. Domain Validation

Let's Encrypt verifies that you control the domain through DNS validation. This happens automatically using the DNS records you've configured.

3. Certificate Installation

Once validated, the SSL certificate is automatically installed and configured on Knitt's infrastructure. Your domain is now accessible via HTTPS.

4. Automatic Renewal

Certificates are automatically renewed 30 days before expiration. You don't need to do anything - it's completely automated.

Default Domains

All {'{'}tenant-id{'}'}.knitt.app domains have SSL enabled by default. These certificates are provisioned instantly when you create a tenant.

Always HTTPS

All HTTP requests are automatically redirected to HTTPS. There's no way to disable SSL.

Custom Domains

When you add a custom domain, SSL certificate provisioning happens automatically once DNS is verified. The process typically takes 1-2 minutes.

Provisioning Timeline

1

Add domain in dashboard

Instant

2

Update DNS records

User action required

3

DNS propagation

5 minutes - 48 hours

4

SSL certificate provisioning

1-2 minutes after DNS verification

Domain live with HTTPS

Certificate Details

Technical Specifications

Certificate AuthorityLet's Encrypt (R3)
Validation TypeDomain Validation (DV)
Certificate Validity90 days
RenewalAutomatic (30 days before expiry)
TLS VersionTLS 1.2 and 1.3
Cipher SuitesModern, secure ciphers only

Security Best Practices

HTTP Strict Transport Security (HSTS)

Enabled by default. Browsers will always use HTTPS for your domain, preventing downgrade attacks.

Perfect Forward Secrecy

All connections use ephemeral key exchange, ensuring past communications remain secure even if keys are compromised.

Modern Cipher Suites Only

Weak and outdated ciphers are disabled. Only secure, modern encryption algorithms are supported.

Troubleshooting

Certificate not provisioning

If your SSL certificate isn't provisioning automatically:

  • • Verify DNS records are configured correctly
  • • Wait for DNS propagation (can take up to 48 hours)
  • • Check for CAA DNS records that might block Let's Encrypt
  • • If using Cloudflare, temporarily disable the proxy (grey cloud)

Mixed content warnings

If you see mixed content warnings, ensure all resources (images, scripts, stylesheets) are loaded via HTTPS, not HTTP. Update any hardcoded HTTP URLs in your application.

Certificate expiration

Certificates are automatically renewed. If you receive an expiration warning, check the Knitt status page or contact support.

CAA Records

CAA (Certification Authority Authorization) DNS records specify which certificate authorities can issue certificates for your domain. If you have CAA records, you must authorize Let's Encrypt: 

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issuewild "letsencrypt.org"

Next Steps

Custom Domains

Set up your own domain with SSL

Deployment

Deploy and manage your projects

Last updated: February 7, 2026