SEAGIT DOCS
Certificates & TLS
TLS & Certificates

HTTPS in minutes — automatic TLS for every app

Point a domain, deploy your app, and Seagit provisions and renews a trusted certificate for you. No cert files, no CSRs, no ARNs to copy. Public HTTPS is on by default.

Auto-issued & renewedLet’s Encrypt & AWS ACMWildcard support

Get to HTTPS in 3 steps

The happy path is fully automatic — most teams never touch a certificate setting.

1
Connect a domain
An AWS/Route 53 domain or a Seagit-managed subdomain.
2
Deploy & expose
Turn on public access — keep the default ingress or pick one.
3
HTTPS turns on
The cert is issued in the background and auto-renews before expiry.

How TLS works: nginx vs ALB

One choice drives everything — your ingress class. It decides where TLS terminates and which certificate authority issues the cert. Both paths are fully managed.

nginxthe default
Load balancerNLB (Layer 4)
Terminates TLSIn-cluster (NGINX)
Certificatecert-manager / Let’s Encrypt
Works onAny domain
albAWS Layer-7 features
Load balancerALB (Layer 7)
Terminates TLSAt the load balancer
CertificateAWS ACM (auto-discovered)
Works onAWS domains only
Why can’t ALB use cert-manager? An ALB is a Layer-7 proxy that always terminates TLS itself and can only present an ACM cert — it can’t pass encrypted traffic through for cert-manager to terminate (that’s an NLB’s job). So “a load balancer that exposes your app while cert-manager handles TLS” is the nginx path (via an NLB). Reach for alb only when you want the ALB’s Layer-7 features on an AWS domain.

What works & what you set

Every domain + ingress-class combination — and the one setting (if any) it needs. In practice: almost nothing.

DomainIngressWorks?TLS viaYou set
AWSyour Route 53 domainnginxYesLet’s EncryptNothing — DNS-01 issuer auto-provisioned
AWSalbYesAWS ACMNothing — ACM auto-discovered (ARN optional)
ManagedSeagit subdomainnginxYesLet’s EncryptNothing — fully managed wildcard
ManagedalbN/ANo ACM for a managed domain — use nginx

Rule of thumb: ACM ⇔ ALB ⇔ an AWS domain. cert-manager pairs with nginx and works everywhere.

Advanced: pin a specific ACM certificate

Auto-discovery matches your hostname against ACM certs — exact, wildcard (*.example.com), and Subject Alternative Names — so you rarely need this. Pin a certificate only to force a specific one (several match, prefer one over the wildcard, or a cross-account cert). Set the ACM Certificate ARN on the app’s network settings, or leave it blank for auto-discovery.

FAQ

Do certificates renew automatically?

Yes. cert-manager renews Let’s Encrypt certs before expiry, and AWS renews ACM certs. Nothing to rotate manually.

Can I use ALB and terminate TLS with cert-manager?

No — an ALB terminates TLS itself and can only use an ACM cert. Want cert-manager? Use nginx. Want ALB? Use an AWS domain so ACM is available.

Why can’t I pick ALB for a managed domain?

Managed (PowerDNS) domains aren’t AWS-backed, so there’s no ACM cert for the ALB to use. They use nginx + a managed wildcard instead.

Do I need to paste a certificate ARN for ALB?

No. The load balancer auto-discovers a matching ACM cert by hostname. The ARN field is optional, only for pinning.