ssl-certificates.rst
142 lines
| 4.5 KiB
| text/x-rst
|
RstLexer
| r304 | .. _configuration-of-ssl-certificates: | ||
| ================================= | |||
| Configuration of SSL Certificates | |||
| ================================= | |||
| In rcstack the router component *can* be responsible for SSL certificates and handling SSL | |||
| termination. | |||
| rcstack uses traefik project for the router component. | |||
| Please see detailed documentation about traefik SSL support here: | |||
| https://doc.traefik.io/traefik/https/tls/ | |||
| r334 | Enable custom traefik config | ||
| ++++++++++++++++++++++++++++ | |||
| By default the shared :file:`.custom/traefik_custom/` directory is not mount into traefik. We need to enable this first, | |||
| before enabling any of the below SSL certificates. | |||
| In the file :file:`.custom/docker-compose-router.override.yaml` uncomment the two binds that would override defaults | |||
| and allow custom code from the `.custom` directory | |||
| .. code-block:: yaml | |||
| traefik: | |||
| volumes: | |||
| # ... other items here ... | |||
| # THESE TWO NEEDS TO BE UNCOMMENTED | |||
| - $PWD/.custom/traefik_custom:/etc/traefik:ro | |||
| - $PWD/.custom/traefik_custom/dynamic:/etc/traefik_dynamic:ro | |||
| r304 | Enable file based certificates | ||
| ++++++++++++++++++++++++++++++ | |||
| r333 | File based certificates (including self-signed) should be places inside this :file:`.custom/traefik_custom/dynamic/certs` | ||
| We recommend using standard names for the .crt file (rhodecode-ssl.crt) and .key file (rhodecode-ssl.key). | |||
| r304 | |||
| r333 | e.g. | ||
| r304 | |||
| .. code-block:: bash | |||
| root@Ubuntu-2204 ~/rhodecode_docker # ls -la .custom/traefik_custom/certs/ | |||
| total 416 | |||
| drwxr-xr-x 2 root root 4096 Jan 7 2023 . | |||
| r333 | drwxr-xr-x 4 root root 4096 Jan 22 2023 .. | ||
| -rw-r--r-- 1 root root 411001 Jan 7 2023 rhodecode-ssl.crt | |||
| -rw-r--r-- 1 root root 1675 Jan 7 2023 rhodecode-ssl.key | |||
| r304 | |||
| Then those file can be enabled to act as a default certificates used in traefik. | |||
| In file :file:`.custom/traefik_custom/dynamic/traefik_dynamic_custom.yaml` there a section that defines this: | |||
| .. code-block:: yaml | |||
| tls: | |||
| stores: | |||
| default: {} | |||
| # the below should be used only if acme/letsencrypt is not used, and we want a default file-based SSL certificates | |||
| certificates: | |||
| # first certificate in default store | |||
| r333 | - certFile: /etc/traefik/certs/rhodecode-ssl.crt | ||
| keyFile: /etc/traefik/certs/rhodecode-ssl.key | |||
| r304 | stores: | ||
| - default | |||
| Enable lets encrypt automatic certificates | |||
| ++++++++++++++++++++++++++++++++++++++++++ | |||
| In file :file:`.custom/traefik_custom/traefik.yaml` | |||
| There's a commented out section that would enable cert resolver using letsencrypt. | |||
| .. code-block:: yaml | |||
| entryPoints: | |||
| http: | |||
| address: ":80" | |||
| https: | |||
| address: ":443" | |||
| http: | |||
| # default, that uses certificates from tls.certificates config in traefik_dynamic.yaml | |||
| # Those are regular key+crt file based certificates | |||
| tls: | |||
| options: {} | |||
| # Enable LE certificate wildcard domain resolver defined above | |||
| # uncomment this to enable letsencrypt for your domains | |||
| certResolver: letsEncryptCertResolver | |||
| domains: | |||
| - main: "*.rhodecode.com" | |||
| sans: | |||
| - "rhodecode.com" | |||
| This defines the `letsEncryptCertResolver` certResolver, which definition can be found above: | |||
| .. code-block:: yaml | |||
| certificatesResolvers: | |||
| letsEncryptCertResolver: | |||
| acme: | |||
| email: admin@rhodecode.com | |||
| r385 | storage: /acme/acme.json | ||
| r304 | dnsChallenge: | ||
| # DNS provider used during the challenge | |||
| # there are multiple providers available see: https://doc.traefik.io/traefik/https/acme/#providers | |||
| provider: route53 | |||
| delayBeforeCheck: 0 | |||
| r317 | Please check specific docs on traefik for more examples and required configuration for letsencrypt certificate handling | ||
| Troubleshooting | |||
| +++++++++++++++ | |||
| In both cases when there are some issues with SSL certificates, especially with the Letsencrypt ones. | |||
| All logs and errors related to the ssl certificates would be printed to the traefik logs. | |||
| here's how to view traefik logs with tail options and trim the results to just one last hour | |||
| .. code-block:: bash | |||
| ./rcstack stack router logs --follow --since=1h | |||
| In case of letsencrypt the typical problems that happen are: | |||
| - acme directory permissions (installer should handle that, but still it's important to make sure the acme storage has the right permissions) | |||
| - acme certificates credentials missing. In many cases using DNS acme resolver it's important to make sure all credentials are correct in order to generate a proper certificate |
