Configuring mTLS for privately hosted GitHub with VCS agents

Last updated: September 16, 2025

If you're using a privately hosted GitHub instance that requires mutual TLS (mTLS) authentication and is not accessible via the internet, you'll need to use Spacelift's VCS agents with additional configuration.

Prerequisites

You must use VCS agents for privately hosted VCS providers that are not accessible from the internet.

Setting up mTLS with VCS agents

Since VCS agents don't natively support --client-cert or --client-key flags, you'll need to implement a workaround using a local proxy:

  1. Generate your certificate and key - Create the mTLS certificate and private key required by your GitHub instance.

  2. Set up a local mTLS proxy - Deploy an NGINX proxy in front of your VCS agent that handles the mTLS authentication with your GitHub server.

  3. Configure the VCS agent - Point your Spacelift VCS agent to connect through the local proxy instead of directly to GitHub.

  4. Trust custom CA (optional) - If your Git server uses a custom certificate authority, configure the VCS agent to trust it.

Alternative solution

If you need native mTLS support in VCS agents, you can submit a feature request at https://feedback.spacelift.io/ to have this functionality added to the product.

This proxy-based approach allows you to maintain secure mTLS connections to your privately hosted GitHub while using Spacelift's VCS agent functionality.