How to Configure OpenClaw Gateway with HTTPS

Intermediate30-60 minutesUpdated 2025-01-16

Securing your OpenClaw gateway with HTTPS is essential for production deployments. This guide walks you through installing nginx as a reverse proxy, obtaining free SSL certificates from Let's Encrypt using certbot, configuring automatic certificate renewal, and updating your OpenClaw gateway settings. You'll have a secure, HTTPS-enabled OpenClaw instance in under an hour.

Why This Is Hard to Do Yourself

These are the common pitfalls that trip people up.

🔒

Certificate acquisition

Let's Encrypt requires DNS or HTTP validation, which can fail with wrong configurations

🌐

Reverse proxy setup

nginx config syntax errors and proxy header misconfigurations

🔄

Certificate auto-renewal

Certbot renewal can silently fail if nginx config is broken

⚙️

Gateway configuration updates

OpenClaw gateway needs to know it's behind a proxy

Step-by-Step Guide

Step 1

Install nginx and certbot

Install nginx web server and certbot for SSL certificates.

sudo apt update
sudo apt install -y nginx certbot python3-certbot-nginx

Step 2

Configure nginx reverse proxy

Create an nginx config for OpenClaw.

sudo nano /etc/nginx/sites-available/openclaw
# Add:
# server {
#   listen 80;
#   server_name openclaw.yourdomain.com;
#
#   location / {
#     proxy_pass http://localhost:3000;
#     proxy_http_version 1.1;
#     proxy_set_header Upgrade $http_upgrade;
#     proxy_set_header Connection 'upgrade';
#     proxy_set_header Host $host;
#     proxy_cache_bypass $http_upgrade;
#     proxy_set_header X-Real-IP $remote_addr;
#     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#     proxy_set_header X-Forwarded-Proto $scheme;
#   }
# }

sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Step 3

Obtain SSL certificate with certbot

Get a free Let's Encrypt certificate.

sudo certbot --nginx -d openclaw.yourdomain.com
# Follow the prompts
# Choose option 2 (redirect HTTP to HTTPS)

Warning: Ensure your domain's DNS A record points to your server's IP before running certbot, or validation will fail.

Step 4

Update OpenClaw gateway configuration

Configure gateway to trust the proxy.

nano ~/openclaw/gateway.yaml
# Update:
# server:
#   host: 127.0.0.1  # Only listen on localhost
#   port: 3000
#   trustProxy: true  # Trust X-Forwarded-* headers from nginx

sudo systemctl restart openclaw

Step 5

Test HTTPS access

Verify SSL is working.

curl https://openclaw.yourdomain.com/health
# Should return {"status":"ok"}
# Check certificate in browser — should show valid Let's Encrypt cert

Step 6

Verify certificate auto-renewal

Test certbot renewal process.

sudo certbot renew --dry-run
# Should complete without errors
# Certbot automatically adds a renewal cron job

SSL Configuration Getting Complex?

HTTPS setup seems simple but production deployments need proper nginx tuning, HSTS headers, certificate monitoring, and renewal automation. Our experts handle the entire SSL stack so you can focus on using OpenClaw.

Browse Setup & Installation experts →

Learn more about our expert service →

Get matched with a specialist who can help.

Frequently Asked Questions

Related Guides

🚀Setup & Installation