see on GitHub

Security : Authentication : Let's Encrypt Certificates

RavenDB 4.x uses X.509 certificates for authentication and authorization and has built in support for Let's Encrypt.

Obtain a Let's Encrypt Certificate

The Setup Wizard Walkthrough explains how to obtain a free Let's Encrypt certificate for your server or cluster.

The certificate contains all of the domain names of the cluster in the ASN (Alternative Subject Name) property. For example, if you setup a 3 node cluster and choose the domain "", the certificate will contain 3 ASN entries:


This way, the same certificate is used in all the nodes of the cluster.

Let's Encrypt recently announced support for wildcard certificates, and RavenDB will start using them soon.

Automatic Renewal

Let's Encrypt certificates have a 90-day lifetime policy.

In RavenDB, you don't need to worry about renewals. RavenDB takes care of this for you.

When there are 30 days left until expiration, RavenDB will initiate the certificate renewal and replacement process. The actual request to Let's Encrypt will happen on the nearest coming Saturday.

Once the renewed certificate is obtained, it will be replaced in all the nodes of the cluster without needing to shut down any server.


Automatic renewals of certificates is available only if you obtained your certificate using the Setup Wizard and got your free RavenDB domain. It doesn't work for self-obtained certificates, even if issued by Let's Encrypt.

Updating DNS records

At the moment, updating DNS records for your domain can only be acheived by running the Setup Wizard again.

We are working on a new dedicated page in our website that will allow to easily edit DNS records which are associated with your license. Once deployed, it will be described and explained here.