torrust
diff --git a/‎docs/issues/272-add-https-support-with-caddy.md‎
Lines changed: 6 additions & 6 deletions b/‎docs/issues/272-add-https-support-with-caddy.md‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎src/application/command_handlers/create/config/tracker/health_check_api_section.rs‎
Lines changed: 73 additions & 1 deletion b/‎src/application/command_handlers/create/config/tracker/health_check_api_section.rs‎
Lines changed: 73 additions & 1 deletion
diff --git a/‎src/application/command_handlers/show/info/tracker.rs‎
Lines changed: 31 additions & 6 deletions b/‎src/application/command_handlers/show/info/tracker.rs‎
Lines changed: 31 additions & 6 deletions
diff --git a/‎src/application/steps/rendering/caddy_templates.rs‎
Lines changed: 6 additions & 0 deletions b/‎src/application/steps/rendering/caddy_templates.rs‎
Lines changed: 6 additions & 0 deletions
@@ -1048,7 +1048,7 @@ add the following to your /etc/hosts file:
 Internal ports (1212, 7070, 7071, 3000) are not directly accessible when TLS is enabled.
 ```
 
-#### 7.3: Add TLS Support for Health Check API
+#### 7.3: Add TLS Support for Health Check API ✅ COMPLETE
 
 **Current State**: The health check API (`health_check_api`) doesn't support TLS configuration like other HTTP services (HTTP trackers, Tracker API, Grafana).
 
@@ -1073,11 +1073,11 @@ Internal ports (1212, 7070, 7071, 3000) are not directly accessible when TLS is
 
 **Implementation Scope**:
 
-- [ ] Add `tls: Option<TlsConfig>` to health check API domain model
-- [ ] Add `tls: Option<TlsConfig>` to health check API DTOs
-- [ ] Update Caddyfile template to include health check when TLS is configured
-- [ ] Update show command to display HTTPS URL when health check has TLS
-- [ ] Update test command to use HTTPS for health check when TLS is configured
+- [x] Add `tls: Option<TlsConfig>` to health check API domain model
+- [x] Add `tls: Option<TlsConfig>` to health check API DTOs
+- [x] Update Caddyfile template to include health check when TLS is configured
+- [x] Update show command to display HTTPS URL when health check has TLS
+- [ ] Update test command to use HTTPS for health check when TLS is configured (deferred to 7.1)
 
 > **Note**: JSON schema regeneration deferred to Phase 8.
 
 
@@ -4,11 +4,22 @@ use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
 use crate::application::command_handlers::create::config::errors::CreateConfigError;
+use crate::application::command_handlers::create::config::https::TlsSection;
+use crate::domain::tls::TlsConfig;
 use crate::domain::tracker::HealthCheckApiConfig;
+use crate::shared::DomainName;
 
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, JsonSchema)]
 pub struct HealthCheckApiSection {
     pub bind_address: String,
+
+    /// Optional TLS configuration for HTTPS
+    ///
+    /// When present, this service will be proxied through Caddy with HTTPS enabled.
+    /// The domain specified will be used for Let's Encrypt certificate acquisition.
+    /// This is useful for exposing health checks to external monitoring systems.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub tls: Option<TlsSection>,
 }
 
 impl HealthCheckApiSection {
@@ -18,6 +29,7 @@ impl HealthCheckApiSection {
     ///
     /// Returns `CreateConfigError::InvalidBindAddress` if the bind address cannot be parsed as a valid IP:PORT combination.
     /// Returns `CreateConfigError::DynamicPortNotSupported` if port 0 (dynamic port assignment) is specified.
+    /// Returns `CreateConfigError::InvalidDomain` if the TLS domain is invalid.
     pub fn to_health_check_api_config(&self) -> Result<HealthCheckApiConfig, CreateConfigError> {
         // Validate that the bind address can be parsed as SocketAddr
         let bind_address = self.bind_address.parse::<SocketAddr>().map_err(|e| {
@@ -34,14 +46,30 @@ impl HealthCheckApiSection {
             });
         }
 
-        Ok(HealthCheckApiConfig { bind_address })
+        // Convert TLS section to domain type with validation
+        let tls = match &self.tls {
+            Some(tls_section) => {
+                tls_section.validate()?;
+                let domain = DomainName::new(&tls_section.domain).map_err(|e| {
+                    CreateConfigError::InvalidDomain {
+                        domain: tls_section.domain.clone(),
+                        reason: e.to_string(),
+                    }
+                })?;
+                Some(TlsConfig::new(domain))
+            }
+            None => None,
+        };
+
+        Ok(HealthCheckApiConfig { bind_address, tls })
     }
 }
 
 impl Default for HealthCheckApiSection {
     fn default() -> Self {
         Self {
             bind_address: "127.0.0.1:1313".to_string(),
+            tls: None,
         }
     }
 }
@@ -54,6 +82,7 @@ mod tests {
     fn it_should_convert_to_domain_config_when_bind_address_is_valid() {
         let section = HealthCheckApiSection {
             bind_address: "127.0.0.1:1313".to_string(),
+            tls: None,
         };
 
         let config = section.to_health_check_api_config().unwrap();
@@ -62,12 +91,33 @@ mod tests {
             config.bind_address,
             "127.0.0.1:1313".parse::<SocketAddr>().unwrap()
         );
+        assert!(config.tls.is_none());
+    }
+
+    #[test]
+    fn it_should_convert_to_domain_config_with_tls() {
+        let section = HealthCheckApiSection {
+            bind_address: "0.0.0.0:1313".to_string(),
+            tls: Some(TlsSection {
+                domain: "health.tracker.local".to_string(),
+            }),
+        };
+
+        let config = section.to_health_check_api_config().unwrap();
+
+        assert_eq!(
+            config.bind_address,
+            "0.0.0.0:1313".parse::<SocketAddr>().unwrap()
+        );
+        assert!(config.tls.is_some());
+        assert_eq!(config.tls_domain(), Some("health.tracker.local"));
     }
 
     #[test]
     fn it_should_fail_when_bind_address_is_invalid() {
         let section = HealthCheckApiSection {
             bind_address: "invalid".to_string(),
+            tls: None,
         };
 
         let result = section.to_health_check_api_config();
@@ -83,6 +133,7 @@ mod tests {
     fn it_should_reject_dynamic_port_assignment() {
         let section = HealthCheckApiSection {
             bind_address: "0.0.0.0:0".to_string(),
+            tls: None,
         };
 
         let result = section.to_health_check_api_config();
@@ -98,6 +149,7 @@ mod tests {
     fn it_should_allow_ipv6_addresses() {
         let section = HealthCheckApiSection {
             bind_address: "[::1]:1313".to_string(),
+            tls: None,
         };
 
         let result = section.to_health_check_api_config();
@@ -109,6 +161,7 @@ mod tests {
     fn it_should_allow_any_port_except_zero() {
         let section = HealthCheckApiSection {
             bind_address: "127.0.0.1:8080".to_string(),
+            tls: None,
         };
 
         let result = section.to_health_check_api_config();
@@ -121,5 +174,24 @@ mod tests {
         let section = HealthCheckApiSection::default();
 
         assert_eq!(section.bind_address, "127.0.0.1:1313");
+        assert!(section.tls.is_none());
+    }
+
+    #[test]
+    fn it_should_fail_when_tls_domain_is_invalid() {
+        let section = HealthCheckApiSection {
+            bind_address: "0.0.0.0:1313".to_string(),
+            tls: Some(TlsSection {
+                domain: "invalid domain with spaces".to_string(),
+            }),
+        };
+
+        let result = section.to_health_check_api_config();
+
+        assert!(result.is_err());
+        assert!(matches!(
+            result.unwrap_err(),
+            CreateConfigError::InvalidDomain { .. }
+        ));
     }
 }
@@ -29,9 +29,12 @@ pub struct ServiceInfo {
     /// Whether the API endpoint uses HTTPS via Caddy
     pub api_uses_https: bool,
 
-    /// Health check API URL (e.g., `http://10.0.0.1:1313/health_check`)
+    /// Health check API URL (e.g., `http://10.0.0.1:1313/health_check` or `https://health.tracker.local/health_check`)
     pub health_check_url: String,
 
+    /// Whether the health check endpoint uses HTTPS via Caddy
+    pub health_check_uses_https: bool,
+
     /// Domains configured for TLS services (for /etc/hosts hint)
     pub tls_domains: Vec<TlsDomainInfo>,
 }
@@ -59,13 +62,15 @@ impl TlsDomainInfo {
 impl ServiceInfo {
     /// Create a new `ServiceInfo`
     #[must_use]
+    #[allow(clippy::too_many_arguments)]
     pub fn new(
         udp_trackers: Vec<String>,
         https_http_trackers: Vec<String>,
         direct_http_trackers: Vec<String>,
         api_endpoint: String,
         api_uses_https: bool,
         health_check_url: String,
+        health_check_uses_https: bool,
         tls_domains: Vec<TlsDomainInfo>,
     ) -> Self {
         Self {
@@ -75,6 +80,7 @@ impl ServiceInfo {
             api_endpoint,
             api_uses_https,
             health_check_url,
+            health_check_uses_https,
             tls_domains,
         }
     }
@@ -153,11 +159,24 @@ impl ServiceInfo {
             }
         }
 
-        let health_check_url = format!(
-            "http://{}:{}/health_check", // DevSkim: ignore DS137138
-            instance_ip,
-            tracker_config.health_check_api.bind_address.port()
-        );
+        // Build health check URL based on TLS configuration
+        let (health_check_url, health_check_uses_https) =
+            if let Some(tls) = &tracker_config.health_check_api.tls {
+                tls_domains.push(TlsDomainInfo {
+                    domain: tls.domain().to_string(),
+                    internal_port: tracker_config.health_check_api.bind_address.port(),
+                });
+                (format!("https://{}/health_check", tls.domain()), true)
+            } else {
+                (
+                    format!(
+                        "http://{}:{}/health_check", // DevSkim: ignore DS137138
+                        instance_ip,
+                        tracker_config.health_check_api.bind_address.port()
+                    ),
+                    false,
+                )
+            };
 
         Self::new(
             udp_trackers,
@@ -166,6 +185,7 @@ impl ServiceInfo {
             api_endpoint,
             api_uses_https,
             health_check_url,
+            health_check_uses_https,
             tls_domains,
         )
     }
@@ -210,6 +230,7 @@ impl ServiceInfo {
             api_endpoint,
             false, // Legacy endpoints don't have TLS info
             health_check_url,
+            false,      // Legacy endpoints don't have health check TLS info
             Vec::new(), // No TLS domains from legacy endpoints
         )
     }
@@ -246,6 +267,7 @@ mod tests {
             "http://10.0.0.1:1212/api".to_string(),            // DevSkim: ignore DS137138
             false,
             "http://10.0.0.1:1313/health_check".to_string(), // DevSkim: ignore DS137138
+            false,                                           // Health check doesn't use HTTPS
             vec![TlsDomainInfo {
                 domain: "http1.tracker.local".to_string(),
                 internal_port: 7070,
@@ -270,6 +292,7 @@ mod tests {
             "https://api.tracker.local/api".to_string(),
             true,
             "http://10.0.0.1:1313/health_check".to_string(), // DevSkim: ignore DS137138
+            false,                                           // Health check doesn't use HTTPS
             vec![
                 TlsDomainInfo {
                     domain: "api.tracker.local".to_string(),
@@ -297,6 +320,7 @@ mod tests {
             "https://api.tracker.local/api".to_string(),
             true,
             String::new(),
+            false, // Health check doesn't use HTTPS
             vec![
                 TlsDomainInfo {
                     domain: "api.tracker.local".to_string(),
@@ -324,6 +348,7 @@ mod tests {
             "http://10.0.0.1:1212/api".to_string(),            // DevSkim: ignore DS137138
             false,
             "http://10.0.0.1:1313/health_check".to_string(), // DevSkim: ignore DS137138
+            false,                                           // Health check doesn't use HTTPS
             vec![],
         );
 
 
@@ -172,6 +172,12 @@ impl<S> RenderCaddyTemplatesStep<S> {
             context = context.with_http_tracker(CaddyService::new(domain, port));
         }
 
+        // Add Health Check API if TLS configured
+        if let Some(tls_domain) = tracker.health_check_api_tls_domain() {
+            let port = tracker.health_check_api_port();
+            context = context.with_health_check_api(CaddyService::new(tls_domain, port));
+        }
+
         // Add Grafana if TLS configured
         if let Some(ref grafana) = user_inputs.grafana {
             if let Some(tls_domain) = grafana.tls_domain() {