OpenClaw SSL/HTTPS Setup: Secure Your Dashboard With Let's Encrypt

Why SSL Matters for OpenClaw

Every time you interact with your OpenClaw instance — through the web UI, through the API, or through webhook callbacks — your gateway token is transmitted as part of the request. This token is the key to your entire agent. Whoever has it can read all conversations, execute code, access your API keys, and control your agent's actions.

Without SSL (HTTPS), this token is sent as plain text. Anyone who can observe your network traffic can see it. This includes your ISP, other users on the same WiFi network (at a coffee shop, airport, or hotel), and any network equipment between your device and your server.

With SSL, all traffic is encrypted. The token is still sent with every request, but it is unreadable to anyone who intercepts the traffic. This is the single most important security measure for any OpenClaw deployment that is accessible over a network.

If your OpenClaw instance is only accessible on localhost (127.0.0.1), SSL is not strictly necessary because the traffic never leaves your machine. The moment you access it from another device — even on your local network — you need SSL.

Option 1: Caddy Auto-SSL

Caddy is a web server that automatically handles SSL certificates. It obtains certificates from Let's Encrypt, configures TLS correctly, and renews certificates before they expire — all without any manual intervention.

Prerequisites:

• A domain name pointing to your server's IP address (A record in DNS)
• Ports 80 and 443 open on your firewall
• OpenClaw running on port 3000

Step 1: Install Caddy

# Ubuntu/Debian
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

Step 2: Create the Caddyfile

Create /etc/caddy/Caddyfile with just two lines:

openclaw.yourdomain.com {
    reverse_proxy localhost:3000
}

That is it. Two lines. Caddy handles everything else.

Step 3: Start Caddy

sudo systemctl enable caddy
sudo systemctl start caddy

Within seconds, Caddy will obtain a Let's Encrypt certificate for your domain and start serving OpenClaw over HTTPS. It will also automatically redirect HTTP to HTTPS.

Step 4: Update your OpenClaw configuration

Make sure OpenClaw only listens on localhost, not on all interfaces. In your docker-compose.yml, change the port binding:

ports:
  - "127.0.0.1:3000:3000"  # Only accessible from localhost

This ensures that OpenClaw is only reachable through Caddy (which provides SSL), not directly over plain HTTP.

Option 2: Nginx + Certbot

Nginx with certbot is the traditional approach. It gives you more configuration control but requires more manual setup.

Step 1: Install Nginx and Certbot

sudo apt update
sudo apt install nginx certbot python3-certbot-nginx

Step 2: Create Nginx configuration

Create /etc/nginx/sites-available/openclaw:

server {
    listen 80;
    server_name openclaw.yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Step 3: Enable the site

sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t  # Test configuration
sudo systemctl reload nginx

Step 4: Obtain SSL certificate

sudo certbot --nginx -d openclaw.yourdomain.com

Certbot will automatically modify your Nginx configuration to add SSL, obtain the certificate, and set up automatic renewal.

Step 5: Verify auto-renewal

sudo certbot renew --dry-run

If this completes without errors, your certificate will automatically renew before it expires (every 90 days).

The WebSocket headers (Upgrade and Connection) in the Nginx configuration are important. OpenClaw uses WebSockets for real-time communication. Without these headers, the web UI will not update in real-time.

Option 3: Tailscale HTTPS

Tailscale is a VPN service that creates encrypted tunnels between your devices. It is the simplest option if you only access OpenClaw from your own devices and do not need public internet access.

Step 1: Install Tailscale on your server

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Step 2: Install Tailscale on your devices

Install the Tailscale app on your phone, laptop, or any device you use to access OpenClaw. Sign in with the same account.

Step 3: Enable HTTPS

sudo tailscale cert openclaw-server

Tailscale provides automatic HTTPS certificates for your tailnet devices.

Step 4: Access OpenClaw

Access OpenClaw via your Tailscale hostname: https://openclaw-server.your-tailnet.ts.net:3000

No domain name required. No port forwarding. No firewall configuration. All traffic is encrypted end-to-end through Tailscale's WireGuard tunnels.

Limitation: External services cannot reach your OpenClaw instance through Tailscale. This means webhook callbacks from Telegram, WhatsApp, and other messaging platforms will not work unless you set up a Tailscale funnel or use a separate public endpoint for webhooks.

To solve the webhook problem, you can use Tailscale Funnel to expose specific routes publicly:

sudo tailscale funnel --bg 3000

This exposes your OpenClaw port through a Tailscale-managed HTTPS endpoint that external services can reach for webhook callbacks.

Which Option Should You Choose?

Choose Caddy if: You need public access (for webhooks) and want the simplest setup possible.

Choose Nginx if: You need public access and want full control over your web server configuration, or if Nginx is already running on your server.

Choose Tailscale if: You only access OpenClaw from your own devices and want zero-configuration encrypted access. Use Tailscale Funnel if you also need webhook support.

Testing Your SSL Setup

After setting up SSL, verify everything works:

1. Check HTTPS access: Open https://openclaw.yourdomain.com in your browser. You should see the OpenClaw login page with a valid certificate (lock icon in the address bar).
2. Check HTTP redirect: Open http://openclaw.yourdomain.com (without the S). It should automatically redirect to HTTPS.
3. Check certificate validity: Click the lock icon in your browser to view the certificate details. Verify the domain matches and the expiration date is approximately 90 days in the future.
4. Check direct HTTP access is blocked: Try accessing http://your-server-ip:3000 directly. If you followed the instructions above (binding to 127.0.0.1), this should fail. Your OpenClaw instance should only be reachable through the SSL-protected reverse proxy.
5. Test SSL grade: Use ssllabs.com/ssltest to check your SSL configuration. Both Caddy and a properly configured Nginx should score an A or A+.

Once SSL is verified, update any webhook URLs in your Telegram, WhatsApp, or other integration configurations to use the HTTPS URL. Remove any bookmarks or saved URLs that use HTTP.