TLS

The Tawon API supports TLS, either with custom TLS keys, or through automatic TLS configuration, if the API is publicly accessible.

Custom TLS

You can pass TLS keys into the Tawon Controller with the --api.customtls.cert and --api.customtls.key flags.

Auto TLS

If your Controller is publicly accessible, you can let the Tawon Controller automatically generate a TLS certificate with Let’s Encrypt.

In order to enable autotls, you must set 3 flags:

--api.autotls.domain: the TLS certificate domain
--api.autotls.email: the email address used for certificate registration (this must be a valid email)
--api.autotls.path: the directory to persistently store generated TLS certs (this must be a mounted path if running in container – certificate generation is severely rate-limited, you do not want to regenerate certificates on each restart)

Let’s Encrypt has a very low threshold rate-limiter, you should enable using the Let’s Encrypt staging environment on first deploy, to check the domain configuration first with the --api.autotls.testing flag.