Custom Certificate for SSL

When deploying Retool via docker-compose, we include an https-portal service in the docker-compose.yaml file to get SSL out of the box. This set up uses LetsEncrypt to automatically provision a certificate. If you're deploying Retool on a VPC that cannot access the public internet, LetsEncrypt won't be able to perform the challenge necessary to provision a certificate. In this case, you'll need to manually add your certificates.

Modify https-portal

Go into the docker-compose.yaml file and replace the https-portal service with the following:

  image: nginx:latest
    - '80:80'
    - '443:443'
  command: [nginx-debug, '-g', 'daemon off;'] # better error logging in container
    - ./nginx:/etc/nginx/conf.d
    - ./certs:/etc/nginx/certs
    - api
    - api
    - frontend-network

Mount certificates

In the previous step, we created two Docker volumes where nginx will look for the certs. Let's now create the directories that these volumes point to.

Inside of the retool-onpremise directory:

  1. Create certs directory (it may have already been created)
  2. Move your .crt and .key files into the certs directory

Configure nginx

We need a .conf file to configure nginx.

  1. Create nginx directory (it may have already been created)
  2. Inside of nginx directory, create a file called FILENAME.conf (it can be named anything ending in .conf)
  3. Add the following to FILENAME.conf:
server {
    listen 80;
    server_name; # <- Change this to your subdomain

    location / {
        return 301 https://$host$request_uri;
server {
    listen 443 ssl;
    server_name; # <- Change this to match server_name above
    ssl_certificate     /etc/nginx/certs/hatch.crt; # <- Change this to your .crt file name
    ssl_certificate_key /etc/nginx/certs/hatch.key; # <- Change this to your .key file name

    location / {
        proxy_pass http://api:3000;

Restart Containers

Run sudo docker-compose up -d


You can show the container logs by running

docker-compose exec https-portal bash
cd /var/log/nginx
cat error.log

Did this page help you?