The Gartner Hype Cycle Emerging Technologies Report is out!

Download now


cert-manager allows you to enable HTTPS on your Coder installation, regardless of whether you're using Let's Encrypt or you have your own certificate authority.

This guide will show you how to install cert-manager v1.0.1 and set up your cluster to issue Let's Encrypt certificates for your Coder installation so that you can enable HTTPS on your Coder deployment. It will also show you how to configure your Coder hostname and dev URLs.

We recommend reviewing the official cert-manager documentation if you encounter any issues or if you want info on using a different certificate issuer.


You must have:

You should also:

  • Be a cluster admin
  • Have access to your DNS provider.
  • Have an AWS account so that you can access Route 53 and IAM

Step 1: Add cert-manager to your Kubernetes cluster

  1. Install cert-manager:

    kubectl apply -f
  2. Check that cert-manager installs correctly by running

    kubectl get CustomResourceDefinition | grep cert-manager

    You should see certificates, certificate requests, challenges, cluster issuers, issuers, and orders.

  3. Next, check that your services are running in the cert-manager namespace

    kubectl get all -n cert-manager

Step 2: Delegate your domain names and set up DNS01 challenges

Because Coder dynamically generates domains (specifically the dev URLs), your certificates need to be approved and challenged. The following steps will show you how to use Route 53 for DNS01 challenges.

  1. Log in to AWS Route 53. On the Dashboard, click Hosted Zone.

  2. Click Create Hosted Zone. In the configuration screen, provide the Domain name that you'll use for Coder (e.g., and make sure that you've selected Public hosted zone. Click Create hosted zone to proceed.

    When your list of hosted zones refreshes, you'll see that your new records includes multiple values under Value/Route traffic to.

  3. Log in to your DNS provider so that you can edit your NS records.

  4. Edit your NS record to delegate your zones to AWS by sending each of the values under Value/Route traffic to to your domain name (i.e., delegate to

Step 3: Create an IAM role for clusterIssuer

To make sure that your clusterIssuer can change your DNS settings, create the required IAM role

Step 4: Create the ACME Issuer

  1. Using the text editor of your choice, create a new configuration file called letsencrypt.yaml (you can name it whatever you'd like) that includes your newly created IAM role:

    kind: ClusterIssuer
      name: letsencrypt
        email: [email protected]
        preferredChain: ""
          name: example-issuer-account-key
          - dns01:
                accessKeyID: your-access-key-ID #secret with IAM Role
                region: your-region
                  key: secret-access-key
                  name: route53-credentials
  2. Apply your configuration changes

    kubectl apply -f letsencrypt.yaml

    If successful, you'll see a response similar to created

Step 5: Install Coder

At this point, you're ready to install Coder. However, to use all of the functionality you set up in this tutorial, use the following helm install command instead:

helm install coder coder/coder --namespace coder \
  --version=<CODER_VERSION> \
  --set"*" \
  --set"" \
  --set ingress.tls.enable=true \
  --set ingress.tls.devurlsHostSecretName=coder-devurls-cert \
  --set ingress.tls.hostSecretName=coder-root-cert \
  --set ingress.annotations."cert-manager\.io/cluster-issuer"="letsencrypt" \

There are also a few additional steps to make sure that your hostname and dev URLs work.

  1. Check the contents of your namespace:

    kubectl get all -n <your_namespace> -o wide

    Find the service/ingress-nginx line and copy its external IP value.

  2. Return to Route53 and go to Hosted Zone.

  3. Create a new record for your hostname; provide coder as the record name and paste the external IP as the value. Save.

  4. Create another record for your dev URLs: set it to *.dev.exampleCo or similar and use the same external IP as the previous step for value. Save.

At this point, you can return to step 6 of the installation guide to obtain the admin credentials you need to log in. If you are not getting a valid certificate after redeploying, see cert-manager's troubleshooting guide for additional assistance.

See an opportunity to improve our docs? Make an edit.