Manage TLS certificates for all your nSelf domains. Production uses Let's Encrypt automatically. Development uses mkcert for trusted local HTTPS. All commands are idempotent — run them as many times as you like.
# Check certificate status for all domains
nself ssl status
# Set up SSL for the first time (production)
nself ssl setup
# Add a custom domain and get a cert immediately
nself ssl add api.mycompany.comnself ssl status
nself ssl setup
nself ssl renew [DOMAIN]
nself ssl add <DOMAIN>nSelf handles TLS automatically. In production, Certbot runs inside Nginx to obtain and renew Let's Encrypt certificates for every domain registered with nself ssl add. In development (NSELF_ENV=development), mkcert generates a locally-trusted CA and issues certificates for *.local.nself.org and your custom local domains.
The ssl setup command installs the mkcert CA into the system trust store on macOS. It checks whether the CA is already installed before prompting for admin credentials — running it multiple times on an already-configured machine is safe and produces no prompts.
Let's Encrypt certificates auto-renew 30 days before expiry via a cron job managed by nSelf. You do not need to run nself ssl renew manually in production.
List all domains with their certificate expiry date, issuer, and renewal status.
nself ssl status
# DOMAIN ISSUER EXPIRES STATUS
# api.mycompany.com Let's Encrypt 2026-08-02 OK (renews in 87 days)
# local.nself.org (dev) mkcert 2027-05-07 OKRun first-time SSL setup. In development this installs the mkcert root CA into the system keychain and issues dev certificates. In production it obtains Let's Encrypt certificates for all configured domains and sets up the renewal cron.
nself ssl setupAdmin prompt (macOS dev): installs the mkcert CA into the system keychain. The command checks whether the CA is already present before prompting — if it is, no dialog appears.
Force an immediate certificate renewal. Without a domain argument, renews all certs that expire within 30 days. Pass a domain to force-renew a specific cert even if it is not near expiry.
# Renew any certs expiring within 30 days
nself ssl renew
# Force-renew a specific domain
nself ssl renew api.mycompany.comRegister a new domain with nSelf and obtain a TLS certificate immediately. In production, this calls the Let's Encrypt ACME challenge via Nginx. In development, mkcert issues a cert for the new domain.
nself ssl add api.mycompany.com
nself ssl add staging.mycompany.comThe domain must already have a DNS A record pointing to your server before running nself ssl add in production.
Every ssl subcommand checks the current state before acting. Specifically, ssl setup on macOS:
/Library/Keychains/System.keychain for the mkcert CA (zero-admin read)This prevents the burst of stacked OS dialogs that would appear if CI or CRUNCH agents called ssl setup repeatedly.
NSELF_ENV — development uses mkcert; production uses Let's EncryptNSELF_SSL_EMAIL — email for Let's Encrypt ACME registration (required in production)NSELF_SSL_STAGING — set to true to use Let's Encrypt staging CA (for testing)0 — all certs OK or successfully issued/renewed1 — ACME challenge failed or mkcert CA installation failed2 — invalid domain or argumentsssl setup automatically on first run)