Let's Encrypt SSL certificates are automatically provisioned for every Lovable-published app and every Vercel deployment — you do not need to configure anything for HTTPS. For custom domains, connect your domain in Lovable's Publish settings or Vercel, and SSL is auto-provisioned and auto-renewed within minutes. This guide explains how Lovable handles SSL, how to set up custom domain HTTPS, and how to use an Edge Function to monitor certificate status.
SSL in Lovable: Automatic HTTPS for Every Deployment
Every app published through Lovable's Publish button is served over HTTPS with a valid SSL certificate. This happens automatically — Lovable's hosting infrastructure provisions a Let's Encrypt TLS certificate the moment your app is published, and renews it automatically before it expires. You do not need to manage certificates, configure web servers, or run any commands.
Custom domains add one step: you add a CNAME or A record pointing your domain to Lovable's infrastructure, then connect the domain in Publish settings. Once DNS propagates (typically 5-30 minutes, up to 48 hours in rare cases), Lovable requests a Let's Encrypt certificate and configures HTTPS automatically. The same automatic renewal applies — you will never see an expired certificate warning.
When deploying Lovable code to Vercel, the same pattern applies: Vercel uses automated Let's Encrypt certificates for all domains. The advanced Edge Function use case in this guide is building a certificate monitoring tool that proactively checks expiry dates and SSL health across multiple custom domains — useful for agencies or SaaS companies managing many Lovable deployments.
Integration method
Let's Encrypt SSL is automatically provisioned by Lovable's Publish infrastructure and Vercel for all deployments — no manual setup is required for the certificate itself. For advanced use cases such as monitoring certificate expiry, validating SSL configuration, or checking certificate details for a custom domain, you can use a Supabase Edge Function to call certificate inspection APIs. The Edge Function pattern also covers scenarios where you need to automate certificate-related checks in a CI/CD-style monitoring dashboard.
Prerequisites
- A Lovable project published via the Publish button (all plans, including free)
- A custom domain registered with any domain registrar (only needed for custom domain setup)
- Access to your domain registrar's DNS settings to add a CNAME or A record
- A paid Lovable plan (Pro or Business) for custom domain connection — free plan supports only the lovable.app subdomain
- Basic understanding of what DNS records are (CNAME = alias pointing to another hostname)
Step-by-step guide
Publish your Lovable app and confirm automatic HTTPS
Publish your Lovable app and confirm automatic HTTPS
The first step is publishing your Lovable app — this is what triggers the SSL certificate provisioning. If your app is not yet published, you cannot access it over HTTPS at any URL, including the default lovable.app subdomain. To publish: open your Lovable project. Click the Publish icon in the top-right corner of the editor (it looks like a globe or share icon). A panel opens showing your app's current publish status. If this is the first publish, click 'Publish' and wait 30-60 seconds while Lovable builds and deploys your app. Once published, you receive a URL in the format https://your-project-name.lovable.app. Open that URL in a browser. Click the padlock icon in the address bar (in Chrome) or the lock/shield icon (in Firefox/Safari). You should see a valid SSL certificate issued for your lovable.app subdomain. The certificate details will show it is a Let's Encrypt certificate — the issuer name will show 'R3' or 'E1' (Let's Encrypt's intermediate CAs). This confirms HTTPS is working correctly. Note: changes you make in Lovable's editor are NOT automatically pushed to the published URL — you must click Publish again (or 'Update') each time you want the live app to reflect new changes. The HTTPS setup itself never needs to be repeated; it is configured once when you first publish and maintained automatically afterward.
Publish my Lovable app and give me the public URL. Confirm that HTTPS is enabled and the SSL certificate is valid. Explain how to update the published version when I make changes in the editor.
Paste this in Lovable chat
Pro tip: After publishing, verify the HTTPS URL works in a private/incognito browser window to avoid cached redirects from previous visits. If you see a certificate warning, wait 2-3 minutes and retry — certificate provisioning can occasionally take a few minutes.
Expected result: Your app is accessible at https://your-project-name.lovable.app with a valid Let's Encrypt SSL certificate. The browser address bar shows a padlock icon with no security warnings.
Connect a custom domain with automatic SSL
Connect a custom domain with automatic SSL
Custom domains require a paid Lovable plan (Pro at $25/month or higher). The process has two parts: adding a DNS record at your domain registrar, and then connecting the domain in Lovable's Publish settings. Step 1 — DNS record: log in to your domain registrar (GoDaddy, Namecheap, Cloudflare, Google Domains, etc.). Find the DNS management section for your domain. Add a CNAME record: - Type: CNAME - Name/Host: www (or @ for the apex domain, though some registrars require ALIAS or ANAME for apex) - Value/Target: your lovable.app URL (e.g., your-project-name.lovable.app) - TTL: 300 seconds (5 minutes) initially for faster propagation Step 2 — Connect in Lovable: open the Publish panel in Lovable (Publish icon top-right). Look for the 'Custom domain' or 'Domains' section. Enter your custom domain (e.g., www.myapp.com) and click Connect or Add. Lovable will attempt to verify the DNS record. If DNS has propagated, the domain connects immediately. If not, you will see a 'DNS not propagated yet' message — wait 5-30 minutes and try again. Step 3 — SSL provisioning: once the domain is connected and DNS resolves, Lovable automatically requests a Let's Encrypt certificate for your domain. This takes 1-5 minutes. After provisioning, your app is accessible at https://www.myapp.com with a valid certificate that auto-renews every 90 days. For Vercel deployments: add your custom domain in the Vercel dashboard under your project's Settings → Domains. Vercel prompts you to add the same type of DNS record and handles Let's Encrypt provisioning automatically.
I want to connect my custom domain 'www.myapp.com' to my published Lovable app. What DNS record do I need to add at my domain registrar, and how do I connect it in Lovable's Publish settings? Tell me exactly what CNAME value to use.
Paste this in Lovable chat
Pro tip: Use a subdomain like 'www' rather than the apex domain (just 'myapp.com' with no www) initially — CNAME records work reliably for subdomains. Apex domain support depends on your registrar's support for ALIAS/ANAME records. Once www works, you can add an apex redirect.
Expected result: Your custom domain resolves to your Lovable app over HTTPS. The browser shows a valid SSL certificate for your domain name, not the lovable.app subdomain. The certificate auto-renews every 90 days without any action on your part.
Deploy to Vercel and configure custom domain SSL there
Deploy to Vercel and configure custom domain SSL there
Many teams generate their app in Lovable and then deploy to Vercel for production hosting, taking advantage of Vercel's global CDN and more advanced deployment controls. Vercel also uses Let's Encrypt and handles SSL automatically, but the domain connection workflow is slightly different. To deploy your Lovable app to Vercel: first ensure your Lovable project is connected to GitHub (Settings → Connectors → GitHub). Then log in to Vercel (vercel.com), click 'New Project', and import your GitHub repository. Set the framework preset to 'Vite', the build command to npm run build, and the output directory to dist. Click Deploy. Once deployed, you receive a Vercel preview URL (https://your-project.vercel.app) with automatic HTTPS. To add a custom domain: go to your project in Vercel → Settings → Domains → Add Domain. Enter your domain and Vercel shows you the exact DNS records to add. For a subdomain (www.myapp.com), add the CNAME record to your registrar. For the apex domain (myapp.com), Vercel recommends adding their A records or using Vercel's nameservers for the domain. Vercel provisions the Let's Encrypt certificate within 1-2 minutes of DNS propagation. You need to manually update environment variables in Vercel's dashboard (Project → Settings → Environment Variables) — set VITE_SUPABASE_URL, VITE_SUPABASE_PUBLISHABLE_KEY, and any other build-time environment variables your app uses. Also update your OAuth redirect URLs in Supabase Auth to include the Vercel domain if you use social login. The vercel.json file with the SPA rewrite rule is important: without it, refreshing any page that is not the root ('/') will return a 404. Add this file to your project root: { "rewrites": [{ "source": "/(.*)", "destination": "/index.html" }] }
I want to deploy my Lovable app to Vercel. Help me: 1) Connect my Lovable project to GitHub. 2) Import that GitHub repository into Vercel with the correct build settings for a Vite + React app. 3) Add a vercel.json file with the SPA rewrite rule so page refreshes work correctly. 4) List all the environment variables I need to set in Vercel's dashboard.
Paste this in Lovable chat
1{2 "rewrites": [3 {4 "source": "/(.*)",5 "destination": "/index.html"6 }7 ]8}Pro tip: After deploying to Vercel and adding a custom domain, update your Supabase project's Auth settings to add the new domain to the 'Site URL' and 'Redirect URLs' list. Without this, OAuth logins will fail with a 'redirect_uri_mismatch' error.
Expected result: Your Lovable app is deployed on Vercel at a custom domain with a valid Let's Encrypt SSL certificate. Page refreshes on nested routes work correctly. Environment variables are set and the app connects to Supabase.
Build an SSL certificate monitoring Edge Function
Build an SSL certificate monitoring Edge Function
For teams managing multiple Lovable deployments across many custom domains — such as agencies building client sites or SaaS companies with per-tenant custom domains — proactive SSL monitoring prevents certificate-related outages. While Lovable and Vercel auto-renew Let's Encrypt certificates, DNS changes or misconfigured domains can break the auto-renewal process. Build a monitoring Edge Function that checks certificate expiry for a list of domains. The function uses the crt.sh certificate transparency API to look up current certificate records for a domain, or makes an HTTPS connection and reads the TLS handshake metadata to check the certificate expiry date. Store the results in a Supabase table called ssl_monitor_results. A React dashboard reads this table and highlights domains where the certificate expires within 30 days (orange warning) or has already expired (red critical). Schedule the monitoring Edge Function via pg_cron to run daily. For complex SSL monitoring setups across many client domains, RapidDev's team can help build a multi-tenant monitoring system with automatic email alerts when certificates approach expiry.
Create a Supabase Edge Function called 'ssl-monitor' that checks SSL certificate expiry for a domain. Accept a 'domain' query parameter. Make an HTTPS fetch request to https://crt.sh/?q=${domain}&output=json to get certificate records. Find the most recent valid certificate and return: domain, not_before, not_after, issuer, days_until_expiry (calculated from today). Create a 'ssl_monitor_results' table and store each check result. Build a monitoring dashboard showing all domains with their SSL status, expiry date, and a color-coded health indicator.
Paste this in Lovable chat
1import { serve } from 'https://deno.land/std@0.168.0/http/server.ts'2import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'34const corsHeaders = {5 'Access-Control-Allow-Origin': '*',6 'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',7}89serve(async (req) => {10 if (req.method === 'OPTIONS') {11 return new Response('ok', { headers: corsHeaders })12 }1314 try {15 const url = new URL(req.url)16 const domain = url.searchParams.get('domain')1718 if (!domain) {19 return new Response(20 JSON.stringify({ error: 'Missing domain query parameter' }),21 { status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }22 )23 }2425 // Query crt.sh certificate transparency log26 const crtResponse = await fetch(27 `https://crt.sh/?q=${encodeURIComponent(domain)}&output=json`,28 { headers: { 'User-Agent': 'Lovable-SSL-Monitor' } }29 )3031 if (!crtResponse.ok) {32 throw new Error(`crt.sh API error: ${crtResponse.status}`)33 }3435 const certs = await crtResponse.json()3637 if (!certs || certs.length === 0) {38 return new Response(39 JSON.stringify({ error: 'No certificates found for domain' }),40 { status: 404, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }41 )42 }4344 // Sort by not_after descending, get most recent45 const sorted = certs.sort((a: any, b: any) =>46 new Date(b.not_after).getTime() - new Date(a.not_after).getTime()47 )48 const latest = sorted[0]4950 const expiryDate = new Date(latest.not_after)51 const now = new Date()52 const daysUntilExpiry = Math.floor(53 (expiryDate.getTime() - now.getTime()) / (1000 * 60 * 60 * 24)54 )5556 const result = {57 domain,58 not_before: latest.not_before,59 not_after: latest.not_after,60 issuer: latest.issuer_name,61 common_name: latest.common_name,62 days_until_expiry: daysUntilExpiry,63 is_valid: daysUntilExpiry > 0,64 is_expiring_soon: daysUntilExpiry <= 30 && daysUntilExpiry > 0,65 checked_at: now.toISOString(),66 }6768 return new Response(69 JSON.stringify(result),70 { headers: { ...corsHeaders, 'Content-Type': 'application/json' } }71 )72 } catch (error) {73 return new Response(74 JSON.stringify({ error: error.message }),75 { status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }76 )77 }78})Pro tip: crt.sh is a public certificate transparency log — it shows all publicly issued certificates for a domain. This approach works without any API key. Note that it shows certificate issuance records, not live TLS handshake data, so it may show recently expired certificates that have not yet been renewed.
Expected result: The ssl-monitor Edge Function returns certificate expiry data for any given domain. The dashboard shows each domain's SSL status with days remaining and color-coded health indicators. Domains expiring within 30 days are highlighted in orange for proactive action.
Common use cases
Connect a custom domain to Lovable and verify HTTPS is working
When you have a domain like myapp.com and want it to serve your Lovable-published app over HTTPS, the process involves adding a DNS record and connecting the domain in Lovable's Publish settings. Let's Encrypt handles certificate issuance automatically once DNS resolves correctly.
I want to connect my custom domain 'myapp.com' to my Lovable app. Walk me through adding the correct DNS record (CNAME or A record) and connecting it in Lovable's Publish settings. Also explain how to verify that HTTPS is working correctly after the domain connects.
Copy this prompt to try it in Lovable
Monitor SSL certificate expiry across multiple custom domains
Agencies and SaaS companies deploying Lovable apps for multiple clients often need to monitor certificate health across many domains. An Edge Function can check each domain's certificate expiry date via the SSL Labs or crt.sh API and send alerts when a certificate is within 30 days of expiring.
Create a Supabase Edge Function called 'ssl-monitor' that checks the SSL certificate expiry date for a given domain. Accept a 'domain' query parameter. Use the crt.sh API or a TLS inspection approach to get the certificate's not_after date. Return the domain, expiry date, days remaining, and whether it is valid. Then build a dashboard component that checks multiple domains and highlights any expiring within 30 days in orange and expired ones in red.
Copy this prompt to try it in Lovable
Automated SSL health check in a deployment pipeline
After deploying a Lovable app to a custom domain, an automated health check confirms that SSL is correctly configured — the certificate is valid, not expired, and covers the right domain. This check can be triggered as part of a post-deployment workflow.
Build an Edge Function called 'ssl-health-check' that verifies the SSL certificate for a given domain is valid and not expiring within 14 days. Use fetch() to make an HTTPS request to the domain and check if it succeeds without certificate errors. Store the result in a 'deployment_health' Supabase table with domain, check_passed boolean, ssl_valid boolean, expiry_date, and checked_at timestamp.
Copy this prompt to try it in Lovable
Troubleshooting
Custom domain shows 'SSL certificate error' or 'Your connection is not private' in the browser
Cause: The most common cause is that the DNS record has not fully propagated to all DNS resolvers yet, so Let's Encrypt cannot validate the domain ownership and issue the certificate. A secondary cause is the DNS record pointing to the wrong target — check that the CNAME value exactly matches your lovable.app or vercel.app URL.
Solution: Wait 5-30 minutes after adding the DNS record before connecting the domain in Lovable or Vercel. Use a DNS checker tool (like dnschecker.org) to verify your CNAME record is resolving correctly worldwide. If the record looks correct but the certificate is still not provisioning after 1 hour, disconnect and reconnect the domain in Lovable's Publish settings to trigger a new certificate request.
HTTPS works but the page shows a 'Mixed content' warning in the browser
Cause: Your Lovable app is loading over HTTPS but is making requests to HTTP (non-secure) URLs for images, scripts, stylesheets, or API calls. Browsers block or warn about HTTP resources loaded on HTTPS pages.
Solution: Check your React component code and Supabase configuration for any hardcoded http:// URLs. Change all HTTP URLs to HTTPS. If your Supabase URL or any API endpoint uses HTTP, update it to HTTPS. In Lovable, ask the AI: 'Check all fetch calls and external resource URLs in my app and update any that use HTTP to use HTTPS.'
Vercel deployment shows the correct page at the root URL but returns 404 on all other routes
Cause: The Vite + React app uses client-side routing (React Router BrowserRouter), but Vercel is trying to serve each URL as a static file. Without the vercel.json rewrite rule, any URL other than / returns a 404 because no actual file exists at that path.
Solution: Add a vercel.json file to the root of your GitHub repository with the SPA rewrite rule shown in Step 3 of this guide. Redeploy the Vercel project after adding the file. All routes will now be served by index.html and React Router will handle the routing client-side.
1{2 "rewrites": [3 {4 "source": "/(.*)",5 "destination": "/index.html"6 }7 ]8}OAuth social login stops working after adding a custom domain
Cause: OAuth providers (Google, GitHub, etc.) validate that the redirect URL exactly matches one of the configured redirect URIs. When you add a custom domain, the OAuth redirect goes to the new domain, but the redirect URI is still configured for the old lovable.app URL.
Solution: For Supabase Auth: go to your Supabase project → Authentication → URL Configuration. Update the 'Site URL' to your custom domain (https://www.myapp.com) and add it to the 'Redirect URLs' list. For OAuth providers configured externally (Google Cloud Console, GitHub OAuth App): add the new domain's callback URL (e.g., https://www.myapp.com/auth/callback) to the list of authorized redirect URIs.
Best practices
- Always verify HTTPS is working on your custom domain immediately after connecting it — do not wait for users to report SSL errors.
- Use the www subdomain rather than the apex domain as your primary domain when connecting to Lovable or Vercel, as CNAME records are more reliable than A records for dynamic hosting infrastructure.
- Add the vercel.json SPA rewrite rule to every Lovable-generated Vite app deployed to Vercel — without it, page refreshes on any non-root route will return 404.
- Update Supabase Auth redirect URLs to include your custom domain before your users try to log in — OAuth failures on a new domain are confusing and avoidable.
- Monitor certificate expiry for all custom domains proactively using the ssl-monitor Edge Function, especially if you have domains managed by third parties where DNS changes could break auto-renewal.
- Use different Lovable publish environments for staging and production with different custom domains — this lets you test changes on a staging URL before pushing to the production domain.
- Never attempt to manually upload Let's Encrypt certificates to Lovable — the platform manages the entire certificate lifecycle automatically, and manual intervention can interfere with auto-renewal.
- For multi-tenant SaaS apps that provision per-customer subdomains (e.g., customer.myapp.com), use a wildcard DNS record (*.myapp.com) and configure wildcard SSL if your plan supports it.
Alternatives
Trend Micro Cloud One handles broader application and workload security scanning beyond SSL certificates — use it alongside Let's Encrypt for enterprise-grade security posture management.
Aikido is Lovable's native security scanning connector that checks SSL configuration alongside other vulnerability categories as part of automated pen testing.
Docker deployments require configuring your own reverse proxy (nginx, Traefik) with certbot for Let's Encrypt certificate management, unlike Lovable's fully automated approach.
Frequently asked questions
Do I need to do anything to set up SSL on my Lovable app?
No. HTTPS is automatically configured for every Lovable-published app using Let's Encrypt certificates. The default lovable.app subdomain has SSL from the moment you first click Publish. For custom domains on paid plans, SSL is provisioned automatically once you add the correct DNS record and connect the domain in Publish settings.
How often do Lovable's SSL certificates renew?
Let's Encrypt certificates are valid for 90 days and are renewed automatically by Lovable's infrastructure before they expire. You do not need to take any action for renewal. Lovable and Vercel both handle the renewal process transparently — the certificate is replaced before the old one expires, and users never experience any interruption.
Why is my custom domain showing an SSL error when my lovable.app URL works fine?
The SSL certificate for the lovable.app subdomain is pre-provisioned. For a custom domain, Let's Encrypt needs to verify you own the domain by resolving a DNS challenge. If the CNAME record has not propagated or is pointing to the wrong target, Let's Encrypt cannot complete the challenge and no certificate is issued. Check your DNS record is correct and fully propagated, then reconnect the domain in Lovable's Publish settings to retry.
Can I use my own SSL certificate from a different CA instead of Let's Encrypt?
No — Lovable's hosting infrastructure and Vercel both use automatically managed Let's Encrypt certificates and do not support uploading custom certificates from other CAs. This is intentional: it eliminates the manual work and cost of commercial certificates while providing the same cryptographic security. For enterprise deployments requiring a specific CA, you would need to self-host the app behind a reverse proxy you control.
Does adding a custom domain in Lovable also work for the Vercel deployment?
They are separate. Lovable's Publish feature and Vercel are two different hosting platforms. If you publish through Lovable, add the domain in Lovable's Publish settings. If you deploy to Vercel via GitHub, add the domain in Vercel's project dashboard under Settings → Domains. You do not need to configure both unless you are using both platforms for different environments.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation