TLS Certificates
Broch requires a wildcard TLS certificate for your chosen hostname (e.g. *.tunnels.company.com). Every tunnel URL is a subdomain, so a single-domain certificate is not sufficient.
Docker Compose
Section titled “Docker Compose”Two options:
Option A — Caddy (recommended): Caddy obtains and renews the wildcard certificate automatically via ACME DNS-01 challenge. You provide a DNS provider API token; no manual certificate management. Requires a supported DNS provider. Cloudflare is recommended; Route 53 is supported but untested.
Option B — Bring your own cert: You provide a certificate and private key in PEM format. Works with nginx or Caddy in static-cert mode. Use this if you already have a certificate, your DNS provider is not supported by the Caddy DNS modules, or you manage certificates centrally (e.g. via Certbot with your own renewal automation).
Both options are covered in the Docker Compose installation guide.
Azure Container Apps requires certificates in PFX format (PKCS#12), base64-encoded. The Bicep deployment template accepts this as a parameter. Azure-managed certificates are also supported — configure via the portal after deployment. See the Azure installation guide.
AWS Certificate Manager (ACM) manages your certificate via DNS validation. You pass the certificate ARN as a CloudFormation parameter. ACM handles automatic renewal. See the AWS installation guide.