Hard rules (do not improvise these)
- The URL path must match Tesla’s required .well-known path exactly.
- The PEM endpoint must return 200 OK, not a redirect.
- The response body must be raw PEM (no HTML, no login page, no CDN error document).
- Do not put the PEM behind auth.
Verification commands (copy/paste)
1) Check status + redirects
curl -I https://YOUR_DOMAIN/.well-known/.../com.tesla.3p.public-key.pem2) Confirm the first line is PEM
curl -s https://YOUR_DOMAIN/.well-known/.../com.tesla.3p.public-key.pem | head
What you want to see: a 200 OK and the PEM begins with
-----BEGIN PUBLIC KEY-----
Caddy tips (what usually breaks PEM hosting)
- Make sure your
/.well-known/*handler is above marketing redirects. - Don’t run well-known through templating; serve it as a static file.
- If you use Cloudflare, set these records to DNS only (not proxied) for fastest debugging.
Common failure patterns
- 308/301 to add a trailing slash → Tesla verification fails.
- 200 OK but response is HTML (your SPA index.html) → must be raw PEM file.
- 403 from WAF → disable protection for the PEM path.
- Cached bad content from CDN → purge cache and re-test with curl.