How to Integrate Bolt.new with Let's Encrypt

Before attempting any SSL configuration, confirm whether your deployment target handles it automatically — the vast majority of Bolt.new users should stop here. Bolt Cloud (bolt.host): Every app deployed to bolt.host has HTTPS automatically. Custom domains are managed within Bolt's dashboard, and SSL certificates are provisioned as part of the domain connection process. You purchase, connect, or transfer a domain in Bolt's interface, and the certificate appears within minutes. No terminal access, no certificate files, nothing to configure. Netlify: When you deploy from Bolt to Netlify (the most common deployment path), every deployment gets a *.netlify.app URL with valid HTTPS. To add a custom domain, go to your Netlify site dashboard → Domain settings → Add domain. After adding your domain and configuring the DNS records Netlify specifies, Netlify automatically provisions a Let's Encrypt certificate using their automated ACME integration. The certificate is renewed automatically every 90 days with no action required from you. Vercel: If you connect your Bolt project to GitHub and deploy via Vercel, the same automatic SSL provisioning applies. Add a custom domain in the Vercel dashboard and SSL is handled identically to Netlify. Cloudflare Pages: Cloudflare uses its own CA for certificates (Universal SSL) rather than Let's Encrypt, but the result is the same — HTTPS is automatic and you never touch a certificate file. If you are using any of these platforms, you are done with SSL configuration. The remaining steps in this guide are specifically for teams self-hosting on a VPS or Docker without a managed platform.

1# Verify SSL is working after Netlify deployment
2# No configuration needed — just check your deployed URL
3
4# After deploying to Netlify:
5# 1. Your site is at: https://your-site-name.netlify.app (SSL automatic)
6# 2. To add custom domain: Netlify Dashboard → Domain settings → Add domain
7# 3. Netlify shows: "SSL certificate provisioned" within 2-5 minutes
8
9# Check SSL certificate details (optional verification)
10# Visit: https://www.ssllabs.com/ssltest/analyze.html?d=your-domain.com
11
12# For Bolt Cloud custom domains:
13# Bolt Dashboard → your project → Settings → Domains → Connect domain
14# SSL is provisioned automatically as part of domain setup

If you are self-hosting an exported Bolt.new app on a Linux VPS, use Certbot — the official Let's Encrypt client — to obtain and automatically renew SSL certificates. Certbot is developed by the Electronic Frontier Foundation (EFF) and is the recommended tool for Let's Encrypt on Linux servers. First, ensure your domain's DNS A record points to your VPS's public IP address. Certbot verifies domain ownership by placing a temporary file at a well-known URL on your server (HTTP-01 challenge), so the domain must be publicly accessible on port 80 before running Certbot. Verify this by browsing to http://your-domain.com and confirming you see your site (or nginx's default page). Install Certbot using snap (the recommended installation method as of 2024): sudo snap install --classic certbot. Then create a symlink: sudo ln -s /snap/bin/certbot /usr/bin/certbot. Run certbot --nginx to automatically detect your nginx server blocks, obtain certificates, and update the nginx configuration to enable HTTPS. Certbot asks which domains to add SSL to (it reads from your nginx config) and whether to redirect HTTP to HTTPS (choose yes for the redirect). The certificate files are stored in /etc/letsencrypt/live/your-domain.com/. For automated renewal, Certbot installs a systemd timer (certbot.timer) that runs twice daily and renews certificates that expire within 30 days. You can verify the timer is active with systemctl status certbot.timer. Test renewal with a dry-run: certbot renew --dry-run. Let's Encrypt certificates expire after 90 days, so renewal runs long before expiry with the default 30-day threshold. After Certbot completes, reload nginx to apply the updated configuration: sudo systemctl reload nginx. Your site should now be accessible on HTTPS with a valid Let's Encrypt certificate. The full setup from a fresh server to working HTTPS typically takes about 10 minutes.

1#!/bin/bash
2# Let's Encrypt / Certbot setup for self-hosted Next.js app
3# Run on Ubuntu 20.04+ VPS with nginx already installed
4
5# Step 1: Install Certbot via snap (recommended method)
6sudo snap install --classic certbot
7sudo ln -s /snap/bin/certbot /usr/bin/certbot
8
9# Step 2: Obtain certificate and configure nginx automatically
10# Certbot reads your nginx config and asks which domains to secure
11sudo certbot --nginx
12
13# Or specify domain directly (skip interactive prompts):
14sudo certbot --nginx -d your-domain.com -d www.your-domain.com
15
16# Step 3: Verify automatic renewal is configured
17sudo systemctl status certbot.timer
18
19# Step 4: Test renewal process (dry run - no changes made)
20sudo certbot renew --dry-run
21
22# Step 5: Reload nginx to apply SSL configuration
23sudo systemctl reload nginx
24
25# Step 6: Verify SSL is working
26curl -I https://your-domain.com
27# Should show: HTTP/2 200

When self-hosting an exported Bolt.new Next.js app on a VPS, nginx acts as a reverse proxy that handles HTTPS termination and forwards requests to your Node.js application running on a port like 3000. Certbot from the previous step handles the certificate — this step covers the nginx configuration that makes your Next.js app work behind nginx with SSL. The nginx configuration for a Next.js app has two server blocks: the HTTP block (port 80) that redirects all traffic to HTTPS, and the HTTPS block (port 443) that proxies requests to your Node.js process. Key nginx settings for Next.js: enable proxy_pass to localhost:3000 (or whatever port your app runs on), set proxy_set_header to pass the original host and IP through to your Node app, enable HTTP/2 for better performance with h2 in the listen directive, and configure proper cache headers for Next.js static files (the /_next/static/ path). To keep your Next.js process running, use PM2 (a Node.js process manager): install with npm install -g pm2, start your app with pm2 start 'npm run start' --name 'myapp', and enable startup persistence with pm2 startup and pm2 save. PM2 automatically restarts your app if it crashes and on server reboots. For a complete Bolt.new Next.js deployment: export the project from Bolt (Dev Mode → Download ZIP), transfer to your VPS via scp or rsync, install dependencies with npm install, build with npm run build, and start with pm2. The entire flow from Bolt export to a running HTTPS server takes about 20-30 minutes including DNS propagation wait time. After the initial setup, updates are as simple as transferring the new build and restarting PM2.

1# /etc/nginx/sites-available/myapp.conf
2# Nginx configuration for self-hosted Next.js app with Let's Encrypt SSL
3# Run: sudo ln -s /etc/nginx/sites-available/myapp.conf /etc/nginx/sites-enabled/
4# Then: sudo nginx -t && sudo systemctl reload nginx
5
6# HTTP → redirect to HTTPS
7server {
8    listen 80;
9    server_name your-domain.com www.your-domain.com;
10    return 301 https://$server_name$request_uri;
11}
12
13# HTTPS server block
14server {
15    listen 443 ssl http2;
16    server_name your-domain.com www.your-domain.com;
17
18    # SSL certificates from Certbot (auto-configured by certbot --nginx)
19    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
20    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
21    include /etc/letsencrypt/options-ssl-nginx.conf;
22    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
23
24    # Proxy to Next.js app running on port 3000
25    location / {
26        proxy_pass http://localhost:3000;
27        proxy_http_version 1.1;
28        proxy_set_header Upgrade $http_upgrade;
29        proxy_set_header Connection 'upgrade';
30        proxy_set_header Host $host;
31        proxy_set_header X-Real-IP $remote_addr;
32        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
33        proxy_set_header X-Forwarded-Proto $scheme;
34        proxy_cache_bypass $http_upgrade;
35    }
36
37    # Cache Next.js static assets
38    location /_next/static/ {
39        proxy_pass http://localhost:3000;
40        add_header Cache-Control "public, max-age=31536000, immutable";
41    }
42
43    # Security headers
44    add_header X-Frame-Options DENY;
45    add_header X-Content-Type-Options nosniff;
46    add_header Referrer-Policy strict-origin-when-cross-origin;
47}

For Docker-based self-hosting, Caddy is often a better choice than nginx + Certbot because Caddy has built-in ACME support — it automatically obtains and renews Let's Encrypt certificates with zero configuration beyond specifying your domain name. This eliminates the need to run Certbot as a separate process or cron job. The Docker Compose setup for a Bolt.new Next.js app with Caddy consists of two services: the Next.js application and Caddy as the reverse proxy. The Caddyfile (Caddy's configuration file) is remarkably simple — you just specify your domain name and the upstream service, and Caddy handles everything else, including HTTP-to-HTTPS redirect, HTTPS certificate via Let's Encrypt, and HTTP/2. To use Caddy's automatic HTTPS, your server must be publicly accessible on ports 80 and 443, and your domain's DNS must point to the server's IP. Caddy performs the same ACME HTTP-01 challenge as Certbot during certificate issuance. Certificates are stored in a Docker volume so they persist across container restarts. Caddy renews certificates automatically when they are within 30 days of expiry — no cron job needed. For the Next.js app container, use Node.js 20 Alpine as the base image for a minimal production image. The multi-stage Dockerfile (build stage + runtime stage) keeps the final image small by excluding development dependencies and source files. Environment variables for the Next.js app (Supabase URL, API keys, etc.) are passed via the Docker Compose environment section or a .env file — these correspond to the same variables in your Bolt.new .env file.

1# docker-compose.yml
2# Bolt.new Next.js app with Caddy automatic HTTPS
3
4version: '3.8'
5
6services:
7  app:
8    build:
9      context: .
10      dockerfile: Dockerfile
11    restart: unless-stopped
12    environment:
13      - NODE_ENV=production
14      - NEXT_PUBLIC_SUPABASE_URL=${NEXT_PUBLIC_SUPABASE_URL}
15      - NEXT_PUBLIC_SUPABASE_ANON_KEY=${NEXT_PUBLIC_SUPABASE_ANON_KEY}
16    expose:
17      - "3000"
18
19  caddy:
20    image: caddy:2-alpine
21    restart: unless-stopped
22    ports:
23      - "80:80"
24      - "443:443"
25    volumes:
26      - ./Caddyfile:/etc/caddy/Caddyfile
27      - caddy_data:/data     # Stores Let's Encrypt certificates
28      - caddy_config:/config
29    depends_on:
30      - app
31
32volumes:
33  caddy_data:
34  caddy_config:
35
36---
37# Caddyfile
38# Replace 'your-domain.com' with your actual domain
39# Caddy automatically gets Let's Encrypt SSL for this domain
40
41your-domain.com {
42    reverse_proxy app:3000
43}
44
45---
46# Dockerfile
47# Multi-stage build for Next.js
48FROM node:20-alpine AS builder
49WORKDIR /app
50COPY package*.json ./
51RUN npm ci --only=production
52COPY . .
53RUN npm run build
54
55FROM node:20-alpine AS runner
56WORKDIR /app
57ENV NODE_ENV=production
58COPY --from=builder /app/.next ./.next
59COPY --from=builder /app/public ./public
60COPY --from=builder /app/package*.json ./
61COPY --from=builder /app/node_modules ./node_modules
62EXPOSE 3000
63CMD ["npm", "start"]