##// END OF EJS Templates
rhodecode-enterprise-docker
RSS
docs(ssl): cleanup example cert files names
super-admin -
Show More
Show file before | Show file after | Hide comments
@@ -1,120 +1,122 b''
1 .. _configuration-of-ssl-certificates:
1 .. _configuration-of-ssl-certificates:
2
2
3 =================================
3 =================================
4 Configuration of SSL Certificates
4 Configuration of SSL Certificates
5 =================================
5 =================================
6
6
7
7
8 In rcstack the router component *can* be responsible for SSL certificates and handling SSL
8 In rcstack the router component *can* be responsible for SSL certificates and handling SSL
9 termination.
9 termination.
10
10
11 rcstack uses traefik project for the router component.
11 rcstack uses traefik project for the router component.
12
12
13 Please see detailed documentation about traefik SSL support here:
13 Please see detailed documentation about traefik SSL support here:
14 https://doc.traefik.io/traefik/https/tls/
14 https://doc.traefik.io/traefik/https/tls/
15
15
16
16
17 Enable file based certificates
17 Enable file based certificates
18 ++++++++++++++++++++++++++++++
18 ++++++++++++++++++++++++++++++
19
19
20 File based certificates should be places inside this :file:`.custom/traefik_custom/dynamic/certs`
20 File based certificates (including self-signed) should be places inside this :file:`.custom/traefik_custom/dynamic/certs`
21 We recommend using standard names for the .crt file (rhodecode-ssl.crt) and .key file (rhodecode-ssl.key).
21
22
22 e.g
23
24 e.g.
23
25
24 .. code-block:: bash
26 .. code-block:: bash
25
27
26 root@Ubuntu-2204 ~/rhodecode_docker # ls -la .custom/traefik_custom/certs/
28 root@Ubuntu-2204 ~/rhodecode_docker # ls -la .custom/traefik_custom/certs/
27 total 416
29 total 416
28 drwxr-xr-x 2 root root 4096 Jan 7 2023 .
30 drwxr-xr-x 2 root root 4096 Jan 7 2023 .
29 drwxr-xr-x 4 501 staff 4096 Jan 22 2023 ..
31 drwxr-xr-x 4 root root 4096 Jan 22 2023 ..
30 -rw-r--r-- 1 root root 411001 Jan 7 2023 rhodecode-com.cert
32 -rw-r--r-- 1 root root 411001 Jan 7 2023 rhodecode-ssl.crt
31 -rw-r--r-- 1 root root 1675 Nov 21 2022 rhodecode-com.key
33 -rw-r--r-- 1 root root 1675 Jan 7 2023 rhodecode-ssl.key
32
34
33 Then those file can be enabled to act as a default certificates used in traefik.
35 Then those file can be enabled to act as a default certificates used in traefik.
34
36
35 In file :file:`.custom/traefik_custom/dynamic/traefik_dynamic_custom.yaml` there a section that defines this:
37 In file :file:`.custom/traefik_custom/dynamic/traefik_dynamic_custom.yaml` there a section that defines this:
36
38
37
39
38 .. code-block:: yaml
40 .. code-block:: yaml
39
41
40 tls:
42 tls:
41 stores:
43 stores:
42 default: {}
44 default: {}
43
45
44 # the below should be used only if acme/letsencrypt is not used, and we want a default file-based SSL certificates
46 # the below should be used only if acme/letsencrypt is not used, and we want a default file-based SSL certificates
45 certificates:
47 certificates:
46 # first certificate in default store
48 # first certificate in default store
47 - certFile: /etc/traefik/certs/rhodecode-com.cert
49 - certFile: /etc/traefik/certs/rhodecode-ssl.crt
48 keyFile: /etc/traefik/certs/rhodecode-com.key
50 keyFile: /etc/traefik/certs/rhodecode-ssl.key
49 stores:
51 stores:
50 - default
52 - default
51
53
52
54
53 Enable lets encrypt automatic certificates
55 Enable lets encrypt automatic certificates
54 ++++++++++++++++++++++++++++++++++++++++++
56 ++++++++++++++++++++++++++++++++++++++++++
55
57
56 In file :file:`.custom/traefik_custom/traefik.yaml`
58 In file :file:`.custom/traefik_custom/traefik.yaml`
57
59
58 There's a commented out section that would enable cert resolver using letsencrypt.
60 There's a commented out section that would enable cert resolver using letsencrypt.
59
61
60
62
61 .. code-block:: yaml
63 .. code-block:: yaml
62
64
63
65
64 entryPoints:
66 entryPoints:
65
67
66 http:
68 http:
67 address: ":80"
69 address: ":80"
68
70
69 https:
71 https:
70 address: ":443"
72 address: ":443"
71 http:
73 http:
72 # default, that uses certificates from tls.certificates config in traefik_dynamic.yaml
74 # default, that uses certificates from tls.certificates config in traefik_dynamic.yaml
73 # Those are regular key+crt file based certificates
75 # Those are regular key+crt file based certificates
74 tls:
76 tls:
75 options: {}
77 options: {}
76 # Enable LE certificate wildcard domain resolver defined above
78 # Enable LE certificate wildcard domain resolver defined above
77 # uncomment this to enable letsencrypt for your domains
79 # uncomment this to enable letsencrypt for your domains
78 certResolver: letsEncryptCertResolver
80 certResolver: letsEncryptCertResolver
79 domains:
81 domains:
80 - main: "*.rhodecode.com"
82 - main: "*.rhodecode.com"
81 sans:
83 sans:
82 - "rhodecode.com"
84 - "rhodecode.com"
83
85
84 This defines the `letsEncryptCertResolver` certResolver, which definition can be found above:
86 This defines the `letsEncryptCertResolver` certResolver, which definition can be found above:
85
87
86 .. code-block:: yaml
88 .. code-block:: yaml
87
89
88 certificatesResolvers:
90 certificatesResolvers:
89 letsEncryptCertResolver:
91 letsEncryptCertResolver:
90 acme:
92 acme:
91 email: admin@rhodecode.com
93 email: admin@rhodecode.com
92 storage: /acme.json
94 storage: /acme.json
93 dnsChallenge:
95 dnsChallenge:
94 # DNS provider used during the challenge
96 # DNS provider used during the challenge
95 # there are multiple providers available see: https://doc.traefik.io/traefik/https/acme/#providers
97 # there are multiple providers available see: https://doc.traefik.io/traefik/https/acme/#providers
96 provider: route53
98 provider: route53
97 delayBeforeCheck: 0
99 delayBeforeCheck: 0
98
100
99 Please check specific docs on traefik for more examples and required configuration for letsencrypt certificate handling
101 Please check specific docs on traefik for more examples and required configuration for letsencrypt certificate handling
100
102
101
103
102
104
103 Troubleshooting
105 Troubleshooting
104 +++++++++++++++
106 +++++++++++++++
105
107
106 In both cases when there are some issues with SSL certificates, especially with the Letsencrypt ones.
108 In both cases when there are some issues with SSL certificates, especially with the Letsencrypt ones.
107 All logs and errors related to the ssl certificates would be printed to the traefik logs.
109 All logs and errors related to the ssl certificates would be printed to the traefik logs.
108
110
109 here's how to view traefik logs with tail options and trim the results to just one last hour
111 here's how to view traefik logs with tail options and trim the results to just one last hour
110
112
111
113
112 .. code-block:: bash
114 .. code-block:: bash
113
115
114 ./rcstack stack router logs --follow --since=1h
116 ./rcstack stack router logs --follow --since=1h
115
117
116
118
117 In case of letsencrypt the typical problems that happen are:
119 In case of letsencrypt the typical problems that happen are:
118
120
119 - acme directory permissions (installer should handle that, but still it's important to make sure the acme storage has the right permissions)
121 - acme directory permissions (installer should handle that, but still it's important to make sure the acme storage has the right permissions)
120 - acme certificates credentials missing. In many cases using DNS acme resolver it's important to make sure all credentials are correct in order to generate a proper certificate No newline at end of file
122 - acme certificates credentials missing. In many cases using DNS acme resolver it's important to make sure all credentials are correct in order to generate a proper certificate
General Comments 0
You need to be logged in to leave comments. Login now